Following instructions in
sort-of works to get this done, but I wonder if there's a better way
to do it.  My goal is twofold: when users are created, they will be
required to have a krbPrincipalExpiration, and they should be denied
login if that date has passed; and users should be prompted to change
their password if krbPasswordExpiration has passed.  It would be
beneficial to have warnings printed for at least password expiration,
but ideally account expiration, as well.  These should be checked and
output if the user is using public key authentication as well as
passwords and GSSAPI.

If I set 'access_provider = ldap' in sssd.conf, it seems to work (also
setting ldap_access_order to pwd_expire_policy_renew, and a filter
which I've yet to determine, otherwise all logins are rejected
anyway).  My understanding from is that HBAC will then fail
to work.  Will other things, such as disabling the account, also fail?
 What about password lockouts?

Is there a better way to do this, for example one that keeps
access_provider set to ipa and consults IPA directly?  Of course
doesn't help that I need to deal with this across multiple OSs (CentOS
5 using LDAP explicitly, 6 and 7 using sssd)

Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |    ICBM Address: 40.346344   -74.652242
    345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
    (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to