On Fri, Jul 18, 2014 at 11:22:05AM -0400, Lance Reed wrote:
> I am having a problem with sssd (1.9.2) and passwords expiration
> against IPA v.3.0.0-37.
>
> I have setup sssd to use IPA with LDAP not Kerberos since this is in
> EC2 and I don’t want to deal with assigning tickets to each ephemeral
> host. So far things are working great, with the one exception that
> due to IPA using “krbPasswordExpiration” instead of “shadowExpire”
> breaks the usage of expired passwords. I tried setting
> “ldap_pwd_policy = mit_kerberos”, which does allow expired passwords
> to be recognized, but then breaks the users ability to change
> passwords. I suspect it causes sssd to use al Kerberos code paths,
> which won’t work in this case.
>
>
> e.g added [domain/LDAP] trying to see if will work.
>
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> ldap_schema = IPA
>
> #ldap_pwd_policy = mit_kerberos
> ldap_account_expire_policy = mit_kerberos
>
> If anyone has any ideas on this I would appreciate and feedback.
> Thanks in advance.
fyi, this question was asked on sssd-users, too and the discussion is
ongoing on that list:
https://lists.fedorahosted.org/pipermail/sssd-users/2014-July/001957.html
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
