Dear List,
On my network we use ldap to "aging" password.
Every user is definied in ldap server (openldap) with 5 attributes:
shadowLastChange: 15308 shadowInactive: 30 shadowMin: 0 shadowMax: 120 shadowWarning: 30
the sssd uses 6 attributes:
shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire
We have NO shadowExpire attribute (in mathematical point of view shadowExpire = shadowLastChange+shadowLastChange).
So how can we use sssd with password "aging" option....?
Best Regards
On 10/31/18 3:26 PM, Bartłomiej Solarz-Niesłuchowski wrote:
On my network we use ldap to "aging" password.
Every user is definied in ldap server (openldap) with 5 attributes:
shadowLastChange: 15308 shadowInactive: 30 shadowMin: 0 shadowMax: 120 shadowWarning: 30
The shadowAccount concept is broken. You should use OpenLDAP's ppolicy overlay to implement proper password expiry. The advantage is also that password expiry is applied to all uses of LDAP bind and not only with a NSS client.
Ciao, Michael.
You could expire the account, and not the password. Not the most elegant way, but I could not find any other way to implement password expiry. I did try it a while back on a much older version, so I can't tell if latest code still supports it. All I needed to have in OpenLDAP is shadowExpire and no other "shadow" attributes.
sssd.conf
[pam] .... pam_verbosity = 1 pam_pwd_expiration_warning = 21 pam_account_expired_message = Your LDAP password has expired, please use selfservice portal to change your LDAP password ....
[domain/xyz] .... # SET Account expiration to shadowAccount ldap_account_expire_policy = shadow ldap_user_shadow_expire = shadowExpire # shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo $(($(date --utc --date "$1" +%s)/86400))
# SET Password expiration to none ldap_pwd_policy = none ldap_access_order = filter, expire ....
On 10/31/18 10:26 AM, Bartłomiej Solarz-Niesłuchowski wrote:
Dear List,
On my network we use ldap to "aging" password.
Every user is definied in ldap server (openldap) with 5 attributes:
shadowLastChange: 15308 shadowInactive: 30 shadowMin: 0 shadowMax: 120 shadowWarning: 30
the sssd uses 6 attributes:
shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire
We have NO shadowExpire attribute (in mathematical point of view shadowExpire = shadowLastChange+shadowLastChange).
So how can we use sssd with password "aging" option....?
Best Regards
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org