On Wed, Sep 11, 2013 at 06:25:25PM +0000, Bright, Daniel wrote: > I was told by the good folks at the 389-users mailing list to instead > redirect my question to the sssd-users list so here goes, thanks in advance! > > All, > > I am in the process of moving away from pam_ldap and on to pam_sss. The basic > sssd setup is working just fine, user authentication works, getent passwd > works, caching is great, everything looks like it's working fine except for > password policy enforcement. I am wondering if there is some sort of password > policy overlay I need to use, or a special setup of sssd.conf, I tried using > "ldap_pwd_policy=shadow" however this doesn't allow me to change passwords, I > instead get this error: > > [user1@someserver ~]$ passwd > Changing password for user user1. > Current Password: > New password: > Retype new password: > Password change failed. Server message: Failed to update password > (3 second delay here) > passwd: Authentication token is no longer valid; new one required > > As soon as I comment out ldap_pwd_policy=shadow this error goes away, however > so does my password policy enfocement. > > If anyone could help it would be greatly appreciated, I will post a working > config on my blog after this is done so we can help others too. > > Thanks! > Daniel B. >
Hi Daniel, what kind of password policy do you use on the server, if any? Is it anything like https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Designing_a_Secure_Directory.html#Password_Policy_Attributes-Password_Max_Failure ? Can you post the sanitized version of your pam_ldap configuration so we can suggest the best SSSD alternative? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users