On Fri, Jul 18, 2014 at 11:22:05AM -0400, Lance Reed wrote: > I am having a problem with sssd (1.9.2) and passwords expiration > against IPA v.3.0.0-37. > > I have setup sssd to use IPA with LDAP not Kerberos since this is in > EC2 and I don’t want to deal with assigning tickets to each ephemeral > host. So far things are working great, with the one exception that > due to IPA using “krbPasswordExpiration” instead of “shadowExpire” > breaks the usage of expired passwords. I tried setting > “ldap_pwd_policy = mit_kerberos”, which does allow expired passwords > to be recognized, but then breaks the users ability to change > passwords. I suspect it causes sssd to use al Kerberos code paths, > which won’t work in this case. > > > e.g added [domain/LDAP] trying to see if will work. > > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > ldap_schema = IPA > > #ldap_pwd_policy = mit_kerberos > ldap_account_expire_policy = mit_kerberos > > If anyone has any ideas on this I would appreciate and feedback. > Thanks in advance.
fyi, this question was asked on sssd-users, too and the discussion is ongoing on that list: https://lists.fedorahosted.org/pipermail/sssd-users/2014-July/001957.html -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project