Clément OUDOT <[email protected]> writes: > Le 25/01/2026 à 15:54, Felix Natter a écrit : >> Dear openldap experts, > > > Hello,
hello Clément, >> my problem is that my ubuntu 22.04 systems do not honor password >> expirations (ppolicy/shadow) and ppolicy password complexities. >> >> I tried to track this down with AI: > > Bad idea. probably :) > >> >> * our server does not seem to advertise the OpenLDAP ppolicy control >> * The ppolicy control OID that SSSD requires (only on Ubuntu, not on RH7) is: >> 1.3.6.1.4.1.42.2.27.9.5.1 > > > This is indeed the official password policy control OID that you can find > in the specification: > > https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-11#name-controls-used-for-password- > > >> >> * But your server (OpenlDAP 2.5.19) advertises only these >> ppolicy‑related controls(?): >> (ldapsearch -x -H ldap://SERVER -s base -b "" "+") >> supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 >> supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 > > > Did you load the ppolicy overlay in your OpenLDAP configuration? I do not have access to the the exact config right now, but both RH7 and ldap account manager pro can read and modify the ppolicies. The AI asked me to verify it with some ldapsearch command output and replied that the ppolicy overlay is loaded correctly (but that may be wrong ;) Many Thanks and Best Regards, Felix -- Felix Natter
