problems with expiring password - sssd-users - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

problems with expiring password

Ubuntu Bionic - sssd 1.16.1 -...

Clarification on Keytabs, UPNs,...

Bartłomiej Solarz-Niesłuchowski

Wednesday, 31 October 2018 Wed, 31 Oct '18

9:26 a.m.

Dear List, On my network we use ldap to "aging" password. Every user is definied in ldap server (openldap) with 5 attributes: shadowLastChange: 15308 shadowInactive: 30 shadowMin: 0 shadowMax: 120 shadowWarning: 30 the sssd uses 6 attributes: shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire We have NO shadowExpire attribute (in mathematical point of view shadowExpire = shadowLastChange+shadowLastChange). So how can we use sssd with password "aging" option....? Best Regards -- Bartłomiej Solarz-Niesłuchowski, Administrator WSISiZ e-mail: Bartlomiej.Solarz-Niesluchowski(a)wit.edu.pl tel. 223486547, fax 223486501 JID: solarz(a)jabber.wit.edu.pl 01-447 Warszawa, ul. Newelska 6, pokój 421, pon.-pt. 8-16 Motto - Jak sobie pościelisz tak sie wyśpisz

Attachments:

smime.p7s (application/pkcs7-signature — 3.3 KB)

Reply

Show replies by date

Michael Ströder

Wednesday, 31 October Wed, 31 Oct

9:57 a.m.

On 10/31/18 3:26 PM, Bartłomiej Solarz-Niesłuchowski wrote:

On my network we use ldap to "aging" password. Every user is definied in ldap server (openldap) with 5 attributes: shadowLastChange: 15308 shadowInactive: 30 shadowMin: 0 shadowMax: 120 shadowWarning: 30

The shadowAccount concept is broken. You should use OpenLDAP's ppolicy overlay to implement proper password expiry. The advantage is also that password expiry is applied to all uses of LDAP bind and not only with a NSS client. Ciao, Michael.

Reply

Mario Rossi

10:55 a.m.

You could expire the account, and not the password. Not the most elegant way, but I could not find any other way to implement password expiry. I did try it a while back on a much older version, so I can't tell if latest code still supports it. All I needed to have in OpenLDAP is shadowExpire and no other "shadow" attributes. sssd.conf [pam] .... pam_verbosity = 1 pam_pwd_expiration_warning = 21 pam_account_expired_message = Your LDAP password has expired, please use selfservice portal to change your LDAP password .... [domain/xyz] .... # SET Account expiration to shadowAccount ldap_account_expire_policy = shadow ldap_user_shadow_expire = shadowExpire # shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo $(($(date --utc --date "$1" +%s)/86400)) # SET Password expiration to none ldap_pwd_policy = none ldap_access_order = filter, expire .... On 10/31/18 10:26 AM, Bartłomiej Solarz-Niesłuchowski wrote:

Dear List, On my network we use ldap to "aging" password. Every user is definied in ldap server (openldap) with 5 attributes: shadowLastChange: 15308 shadowInactive: 30 shadowMin: 0 shadowMax: 120 shadowWarning: 30 the sssd uses 6 attributes: shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire We have NO shadowExpire attribute (in mathematical point of view shadowExpire = shadowLastChange+shadowLastChange). So how can we use sssd with password "aging" option....? Best Regards _______________________________________________ sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...

Reply

1997

days inactive

1997

days old

sssd-users@lists.fedorahosted.org

Manage subscription

2 comments

3 participants

tags (0)

participants (3)

Bartłomiej Solarz-Niesłuchowski
Mario Rossi
Michael Ströder