[SSSD-users] Re: sssd-ldap, ppolicy, ldap_account_expire_policy with SSHD

Thu, 16 Jan 2020 03:51:39 -0800 

On Wed, Jan 15, 2020 at 10:59:34PM -0800, Chris Paul wrote:
> Is it possible to use sssd-ldap (1.16.4-21, CentOS 7.7) with FreeIPA server 
> (4.6.5-11, CentOS 7.7) and have password policy (ldap_access_order=ppolicy) 
> and also account expiration (ldap_account_expire_policy = ipa)? It’s implied 
> that IPA works as why else would “ipa” be an option to 
> ldap_account_expire_policy? 
> 
> I’m trying this in my lab; can’t get it to work. 
> 
> Also not perfectly clear from the manual is how to use 
> pwd_expire_policy_reject, pwd_expire_policy_warn, pwd_expire_policy_renew. In 
> the manual, it is written: "Also 'ldap_pwd_policy' must be set to an 
> appropriate password policy.” 
> 
> What should ldap_pwd_policy be set to for an IPA server? 
> 
> The docs also say, “for ldap_account_expire_policy=rhds, ipa, 389ds: use the 
> value of ldap_ns_account_lock to check if access is allowed or not.” 
> 
> On my FreeIPA server, I don’t see the ldap_ns_account_lock attribute set for 
> expired accounts. 

Hi,

'ldap_ns_account_lock' is referring to the SSSD config option

       ldap_ns_account_lock (string)
           When using ldap_account_expire_policy=rhds or equivalent,
           this parameter determines if access is allowed or not.

           Default: nsAccountLock

So please look for the nsAccountLock attribute on the IPA server.

HTH

bye,
Sumit

> 
> Either my reading is deficient or the documentation is. I’d be happy to 
> contribute if I understood. Does anyone have any tips?
> 
> thanks,
> 
> Chris Paul 
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to