On Fri, Jul 18, 2014 at 11:22:05AM -0400, Lance Reed wrote:
> I am having a problem with sssd (1.9.2) and passwords expiration
> against IPA v.3.0.0-37.
> I have setup sssd to use IPA with LDAP not Kerberos since this is in
> EC2 and I don’t want to deal with assigning tickets to each ephemeral
> host.  So far things are working great, with the one exception that
> due to IPA using “krbPasswordExpiration” instead of “shadowExpire”
> breaks the usage of expired passwords.  I tried setting
> “ldap_pwd_policy = mit_kerberos”, which does allow expired passwords
> to be recognized, but then breaks the users ability to change
> passwords.  I suspect it causes sssd to use al Kerberos code paths,
> which won’t work in this case.
> e.g added [domain/LDAP] trying to see if will work.
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> ldap_schema = IPA
> #ldap_pwd_policy = mit_kerberos
> ldap_account_expire_policy = mit_kerberos
> If anyone has any ideas on this I would appreciate and feedback.
> Thanks in advance.

fyi, this question was asked on sssd-users, too and the discussion is
ongoing on that list:

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to