You need to use:
access_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy = ad
>From sssd-ldap(5):
ldap_account_expire_policy (string)
With this option a client side evaluation of access control
attributes can be enabled.
Please note that it is always recommended to use server side access
control, i.e. the LDAP server should deny
the bind request with a suitable error code even if the password is
correct.
The following values are allowed:
shadow: use the value of ldap_user_shadow_expire to determine
if the account is expired.
ad: use the value of the 32bit field
ldap_user_ad_user_account_control and allow access if the second bit is
not set. If the attribute is missing access is granted. Also the
expiration time of the account is checked.
rhds, ipa, 389ds: use the value of ldap_ns_account_lock to
check if access is allowed or not.
nds: the values of ldap_user_nds_login_allowed_time_map,
ldap_user_nds_login_disabled and
ldap_user_nds_login_expiration_time are used to check if access is
allowed. If both attributes are missing
access is granted.
This is an experimental feature, please use
http://fedorahosted.org/sssd to report any issues.
Default: Empty
ldap_user_ad_account_expires (string)
When using ldap_account_expire_policy=ad, this parameter contains
the name of an LDAP attribute storing the
expiration time of the account.
Default: accountExpires
ldap_user_ad_user_account_control (string)
When using ldap_account_expire_policy=ad, this parameter contains
the name of an LDAP attribute storing the
user account control bit field.
Default: userAccountControl
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/915386
Title:
SSSD/AD 2008 and Password Change
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/915386/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
