Is it possible to use sssd-ldap (1.16.4-21, CentOS 7.7) with FreeIPA server (4.6.5-11, CentOS 7.7) and have password policy (ldap_access_order=ppolicy) and also account expiration (ldap_account_expire_policy = ipa)? It’s implied that IPA works as why else would “ipa” be an option to ldap_account_expire_policy?
I’m trying this in my lab; can’t get it to work. Also not perfectly clear from the manual is how to use pwd_expire_policy_reject, pwd_expire_policy_warn, pwd_expire_policy_renew. In the manual, it is written: "Also 'ldap_pwd_policy' must be set to an appropriate password policy.” What should ldap_pwd_policy be set to for an IPA server? The docs also say, “for ldap_account_expire_policy=rhds, ipa, 389ds: use the value of ldap_ns_account_lock to check if access is allowed or not.” On my FreeIPA server, I don’t see the ldap_ns_account_lock attribute set for expired accounts. Either my reading is deficient or the documentation is. I’d be happy to contribute if I understood. Does anyone have any tips? thanks, Chris Paul _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
