I got this working on Centos 6 using the following for password-auth-ac / system-auth-ac.
#%PAM-1.0 # pam_succeed_if.so in auth MUST be sufficient # pam_succeed_if.so in account does not currently work with uid under 500 and pwdReset:TRUE in OpenLDAP auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so #account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account sufficient pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Physiology and Biophysics Weill Cornell Medicine E: [email protected] O: 212-746-5454 F: 212-746-8690 On Thu, Aug 25, 2016 at 4:59 PM, Lukas Slebodnik <[email protected]> wrote: > On (25/08/16 20:44), [email protected] wrote: > >I have an environment set up with OpenLDAP, ppolicy and sssd on Ubuntu > 12.04. I've got ppolicy working fine, for the most part, but I'm trying to > set pwdReset: TRUE in LDAP to force users to change passwords and it's not > having any effect. I have pwdMustChange: TRUE in the default password > policy, and password prompts for expired passwords works, so I know it's > not grossly misconfigured or something. > > > >I've spent a few days looking into this and from other posts and blogs it > sounds like pwdReset can be handled by sssd and is somehow enforced by pam, > but I'm not seeing any error messages about pam or password resets (pam > verbosity 3 and debug_level 9). With the lack of errors, I'm basically > wondering what are the requirements to get pwdReset functioning with sssd? > > > Ubuntu 12.04 seems to have sssd 1.8.2 > The ppa[2] seems to have 1.11.5 > > It would be good to test with more recent version of sssd. > You can try sssd in 16.04. > > I can confirm that "pwdReset: TRUE" works with latest sssd 1.13 > which is in xenial(16.04) > > LS > > [1] https://urldefense.proofpoint.com/v2/url?u=http-3A__ > packages.ubuntu.com_search-3Fkeywords-3Dsssd-26searchon- > 3Dnames-26suite-3Dprecise-26section-3Dall&d=DQIGaQ&c= > lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e- > CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s= > N0Lii3TQAhrxxkHAsA1mnnJH_nzNooMhVjkJW9AGhio&e= > [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__ > launchpad.net_-7Esssd_-2Barchive_ubuntu_updates&d=DQIGaQ&c= > lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e- > CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s= > Ql0q2KebQkGKdDX18BnMX8kAgrDhOP5veCzFmLu1GRg&e= > _______________________________________________ > sssd-users mailing list > [email protected] > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists. > fedorahosted.org_admin_lists_sssd-2Dusers-40lists. > fedorahosted.org&d=DQIGaQ&c=lb62iw4YL4RFalcE2hQUQealT9- > RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m= > e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s= > Ik1cAF4mlAZIwL7EXJakHVYvpY3FXgdmwJFM3W4qNp4&e= >
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
