Thank you Lukas. In our environment we only expose ldap read-only consumers and password changes are done using a custom in-house application in php that is accessing one of the providers in write mode. When a user changes password, I found out that slapd will generate pwdChangedTime non-modifiable system attribute on master so I'm not sure if that will get replicated to the exposed consumers. We also have daily encrypted backups of the tree for emergency cases where we might to perform a restore. But if we do then we loose the pwdChangedTime attribute.
In lieu of this I have abandoned the idea of using password policies and instead went with account expiration since access to production is controlled by a set of servers and sssd can enforce account expiration using shadowExpire ldap attribute. For posterity the config looks like: [pam] ..... pam_pwd_expiration_warning = 21 pam_account_expired_message = Account expired, please use selfservice portal to change your password and extend account. [domain/LDAP] .... # SET Account expiration to shadowAccount *ldap_account_expire_policy = shadow* # SET Password expiration to none *ldap_pwd_policy = none* # SET access verification to ldap filter then check shadow account expiration *ldap_access_order *= filter, *expire* ldap_chpass_update_last_change = false # SET attribute. Redundant, It is default ldap_user_shadow_expire = shadowExpire # shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo $(($(date --utc --date "$1" +%s)/86400)) Thank you On 12/07/2015 01:20 AM, Lukas Slebodnik wrote: > On (03/12/15 20:24), Mario Rossi wrote: >> Hi, >> >> We have the need to add password (not account) expiration in ldap and I >> see that sssd supports pwd policies. What's the recommended way of >> achieving password expiration keeping in mind the following: >> >> * currently there are no shadow attributes defined ( all users have >> shadowAccount objectclass but no attrs like shadowExpire / shadowMin / >> shadowMax ) >> * upon the user logging in , if password is going to expire in a few >> days, display a message to the user ( pam_account_expired_message , >> pam_pwd_expiration_warning ? ) >> * is sssd-1.12.4-47 rpm recommended or better sssd-1.12.5-3 > Default version in el6.7 already contians > lockout and ppolicy options in ldap_access_order > but it semms you want to use only "expire" which is available > also in older versions of sssd. > >> <https://copr-be.cloud.fedoraproject.org/results/lslebodn/sssd-1-12/epel-6-x86_64/sssd-1.12.5-3.fc21/>? >> >> I found out the hard way that I need to define shadowExpire to -1 >> otherwise users get rejected with 'account has expired' message in sssd >> debug mode but perhaps my settings are wrong. What shadow attributes >> does sssd look for in the openldap tree ? >> >> >> [pam] >> ... >> pam_pwd_expiration_warning = 21 >> pam_account_expired_message = Account/password expired, please use >> selfservice portal to change your password and extend account. >> >> >> [domain/LDAP] >> ... >> # Account expiration >> ldap_account_expire_policy = shadow >> >> # Password expiration >> #ldap_pwd_policy = none >> ldap_pwd_policy = shadow >> ldap_pwdlockout_dn = cn=default,ou=policies,o=Hostopia,dc=hostopia,dc=com >> ldap_access_order = filter, expire >> >> pwd_expiration_warning = 21 >> ... >> >> Seems that I should be looking at src/providers/ldap/ldap_opts.h & >> src/providers/ldap/sdap.h . > looking to the manual page sssd-ldap should be ehough. > > LS > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org >
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
