On 6/26/17, 7:09 PM, "Gordon Messmer" <gordon.messmer(a)gmail.com> wrote:
As far as I know, pam_ldap doesn't use passwordExpirationTime, it
only
uses the shadow* attributes.
It does respect them actually, I just had the server misconfigured.
If you're using a recent version of 389-ds, those attributes
should be
calculated based on your policy. What version are you running? How did
you configure your password policy?
The policy was configured using 389-console, and it seem that if you select the
option "User must change password after reset", then it doesn't enforce
expiration, at least that I's what I changed to make enforcement work.
(It should also be noted that sssd is a much better choice than
pam_ldap
and nss_ldap. Those modules cannot determine network availability or
LDAP availability, and can create extremely long delays booting
systems. Don't use them.)
I just found out about sssd yesterday, and I'm looking into migrating.
Thanks for your help.
-- Mitch Patenaude