On Mon, Apr 18, 2016 at 12:54:48PM -0400, Steve Huston wrote:
> Following instructions in
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-pwd-expiry.html
> sort-of works to get this done, but I wonder if there's a better way
> to do it.  My goal is twofold: when users are created, they will be
> required to have a krbPrincipalExpiration, and they should be denied
> login if that date has passed; and users should be prompted to change
> their password if krbPasswordExpiration has passed.  It would be
> beneficial to have warnings printed for at least password expiration,
> but ideally account expiration, as well.  These should be checked and
> output if the user is using public key authentication as well as
> passwords and GSSAPI.
> 
> If I set 'access_provider = ldap' in sssd.conf, it seems to work (also
> setting ldap_access_order to pwd_expire_policy_renew, and a filter
> which I've yet to determine, otherwise all logins are rejected
> anyway).  My understanding from
> https://fedorahosted.org/sssd/ticket/1227 is that HBAC will then fail
> to work.  Will other things, such as disabling the account, also fail?
>  What about password lockouts?
> 
> Is there a better way to do this, for example one that keeps
> access_provider set to ipa and consults IPA directly?  Of course
> doesn't help that I need to deal with this across multiple OSs (CentOS
> 5 using LDAP explicitly, 6 and 7 using sssd)

Did you test that this actually fails with id_provider=ipa? I would
assume the IPA KDC would kick you out and prompt for a new password..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to