URL: https://github.com/SSSD/sssd/pull/5928 Title: #5928: IPA: Add password expire warning
sumit-bose commented: """ > @sumit-bose if there is a chance you can take a look at the code of this PR > and tell me if approach with hard coded options is OK in this case? Hi, using a hardcoded default is ok, but you only have to add `LDAP_ACCESS_EXPIRE_POLICY_WARN`. Nevertheless it would be good if the IPA provider can check `ldap_access_order` as well because I would expect that sooner or later someone will ask to not only warn but reject the user which would be `LDAP_ACCESS_EXPIRE_POLICY_DENY`. Related to Alexey's question about #3635, currently the fix would be limited to IPA users where `ldap_pwd_policy = mit_kerberos` applies. For AD users we currently do not read or evaluate the `msDS-UserPasswordExpiryTimeComputed` attribute. So this attribute should be added to the list of user attributes and a new e.g. `ldap_pwd_policy = ad` should be added to evaluate it. For IPA an `ldap_pwd_policy = ipa` might be needed as well since we might have to check IPA and AD users. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5928#issuecomment-1009843750
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure