On Sun, Feb 23, 2020 at 06:27:04PM -0800, Chris Paul via FreeIPA-users wrote: > I am having a problem with the ipa_pwd_extop plugin when using sssd-ldap with > FreeIPA (all providers set to “ldap"). If a user changes their password, they > get stuck a password expiration loop where each login or sudo forces a > password reset. This happens only with sssd-ldap clients using LDAP > providers. It is not a problem for a regular IPA client. One related > customization that I have made to the 389DS which is part of FreeIPA. I set > "passwordExp: on" in "cn=config". This causes 389DS to interpret > passwordExpirationTime and is documented here: > https://directory.fedoraproject.org/docs/389ds/design/password-controls.html. > > Some more details: It seems to be that if the ipa_pwd_extop plugin is > enabled, a user password reset using SSSD-LDAP triggers an replace of the > passwordExpirationTime attribute with the value “19700101000000Z”. Whenever > passwordExpirationTime is “19700101000000Z” (admin reset), 389DS returns > "Server is unwilling to perform (53)” for any BINDs. SSSD-LDAP interprets > this as an expired password, which forces a password reset (with > "ldap_access_order = pwd_expire_policy_renew, filter” set in > /etc/sssd/sssd.conf). When the password is reset, the ipa_pwd_extop resets > the passwordExpirationTime attribute with the value “19700101000000Z” which > begins another iteration of the loop.
Hi, can you send your sssd.conf? bye, Sumit > > Is this even the right list to ask questions about this problem? > Is this a bug in the plugin or is there some good reason why it replaces the > passwordExpirationTime attribute with the value “19700101000000Z”? > > Maybe one solution is to turn set "passwordExp: off" in "cn=config", but then > we can have account expiration with SSSD-LDAP clients. > > I'd appreciate your ideas. Many Thanks, > > CP > > Chris Paul > Rex Consulting, Inc > 5652 Florence Terrace, Oakland, CA 94611 > email: [email protected] > web: [ http://www.rexconsulting.net/ | http://www.rexconsulting.net ] > phone, toll-free: +1 (888) 403-8996 ext 1 > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
