You could expire the account, and not the password. Not the most elegant way, but I could not find any other way to implement password expiry. I did try it a while back on a much older version, so I can't tell if latest code still supports it. All I needed to have in OpenLDAP is shadowExpire and no other "shadow" attributes.

sssd.conf

[pam]
....
pam_verbosity = 1
pam_pwd_expiration_warning = 21
pam_account_expired_message = Your LDAP password has expired, please use selfservice portal to change your LDAP password
....

[domain/xyz]
....
# SET Account expiration to shadowAccount
ldap_account_expire_policy = shadow
ldap_user_shadow_expire = shadowExpire
# shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo $(($(date --utc --date "$1" +%s)/86400))

# SET Password expiration to none
ldap_pwd_policy = none
ldap_access_order = filter, expire
....

On 10/31/18 10:26 AM, Bartłomiej Solarz-Niesłuchowski wrote:

Dear List,

On my network we use ldap to "aging" password.

Every user is definied in ldap server (openldap) with 5 attributes:

shadowLastChange: 15308
shadowInactive: 30
shadowMin: 0
shadowMax: 120
shadowWarning: 30

the sssd uses 6 attributes:

    shadowLastChange
    shadowMin
    shadowMax
    shadowWarning
    shadowInactive
    shadowExpire

We have NO shadowExpire attribute (in mathematical point of view shadowExpire = shadowLastChange+shadowLastChange).

So how can we use sssd with password "aging" option....?

Best Regards
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org