I was told by the good folks at the 389-users mailing list to instead redirect my question to the sssd-users list so here goes, thanks in advance!
All,
I am in the process of moving away from pam_ldap and on to pam_sss. The basic sssd setup is working just fine, user authentication works, getent passwd works, caching is great, everything looks like it's working fine except for password policy enforcement. I am wondering if there is some sort of password policy overlay I need to use, or a special setup of sssd.conf, I tried using "ldap_pwd_policy=shadow" however this doesn't allow me to change passwords, I instead get this error:
[user1@someserver ~]$ passwd Changing password for user user1. Current Password: New password: Retype new password: Password change failed. Server message: Failed to update password (3 second delay here) passwd: Authentication token is no longer valid; new one required
As soon as I comment out ldap_pwd_policy=shadow this error goes away, however so does my password policy enfocement.
If anyone could help it would be greatly appreciated, I will post a working config on my blog after this is done so we can help others too.
Thanks! Daniel B.
On Wed, Sep 11, 2013 at 06:25:25PM +0000, Bright, Daniel wrote:
I was told by the good folks at the 389-users mailing list to instead redirect my question to the sssd-users list so here goes, thanks in advance!
All,
I am in the process of moving away from pam_ldap and on to pam_sss. The basic sssd setup is working just fine, user authentication works, getent passwd works, caching is great, everything looks like it's working fine except for password policy enforcement. I am wondering if there is some sort of password policy overlay I need to use, or a special setup of sssd.conf, I tried using "ldap_pwd_policy=shadow" however this doesn't allow me to change passwords, I instead get this error:
[user1@someserver ~]$ passwd Changing password for user user1. Current Password: New password: Retype new password: Password change failed. Server message: Failed to update password (3 second delay here) passwd: Authentication token is no longer valid; new one required
As soon as I comment out ldap_pwd_policy=shadow this error goes away, however so does my password policy enfocement.
If anyone could help it would be greatly appreciated, I will post a working config on my blog after this is done so we can help others too.
Thanks! Daniel B.
Hi Daniel,
what kind of password policy do you use on the server, if any? Is it anything like https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/... ?
Can you post the sanitized version of your pam_ldap configuration so we can suggest the best SSSD alternative?
sssd-users@lists.fedorahosted.org
-
Bright, Daniel -
Jakub Hrozek