On 06/26/2017 10:16 AM, Mitch Patenaude wrote:
I'm trying to migrate my organization of FDS, but policy requires a 90
day password expiration, and pam_ldap modules aren't forcing password
changes even after the password expired.
As far as I know, pam_ldap doesn't use passwordExpirationTime, it only
uses the shadow* attributes.
If you're using a recent version of 389-ds, those attributes should be
calculated based on your policy. What version are you running? How did
you configure your password policy?
(It should also be noted that sssd is a much better choice than pam_ldap
and nss_ldap. Those modules cannot determine network availability or
LDAP availability, and can create extremely long delays booting
systems. Don't use them.)