Following instructions in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-pwd-expiry.html sort-of works to get this done, but I wonder if there's a better way to do it. My goal is twofold: when users are created, they will be required to have a krbPrincipalExpiration, and they should be denied login if that date has passed; and users should be prompted to change their password if krbPasswordExpiration has passed. It would be beneficial to have warnings printed for at least password expiration, but ideally account expiration, as well. These should be checked and output if the user is using public key authentication as well as passwords and GSSAPI.
If I set 'access_provider = ldap' in sssd.conf, it seems to work (also setting ldap_access_order to pwd_expire_policy_renew, and a filter which I've yet to determine, otherwise all logins are rejected anyway). My understanding from https://fedorahosted.org/sssd/ticket/1227 is that HBAC will then fail to work. Will other things, such as disabling the account, also fail? What about password lockouts? Is there a better way to do this, for example one that keeps access_provider set to ipa and consults IPA directly? Of course doesn't help that I need to deal with this across multiple OSs (CentOS 5 using LDAP explicitly, 6 and 7 using sssd) -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project