On Sun, Feb 23, 2020 at 06:27:04PM -0800, Chris Paul via FreeIPA-users wrote:
I am having a problem with the ipa_pwd_extop plugin when using
sssd-ldap with FreeIPA (all providers set to “ldap"). If a user changes their
password, they get stuck a password expiration loop where each login or sudo forces a
password reset. This happens only with sssd-ldap clients using LDAP providers. It is not a
problem for a regular IPA client. One related customization that I have made to the 389DS
which is part of FreeIPA. I set "passwordExp: on" in "cn=config". This
causes 389DS to interpret passwordExpirationTime and is documented here:
https://directory.fedoraproject.org/docs/389ds/design/password-controls.html.
Some more details: It seems to be that if the ipa_pwd_extop plugin is enabled, a user
password reset using SSSD-LDAP triggers an replace of the passwordExpirationTime attribute
with the value “19700101000000Z”. Whenever passwordExpirationTime is “19700101000000Z”
(admin reset), 389DS returns "Server is unwilling to perform (53)” for any BINDs.
SSSD-LDAP interprets this as an expired password, which forces a password reset (with
"ldap_access_order = pwd_expire_policy_renew, filter” set in /etc/sssd/sssd.conf).
When the password is reset, the ipa_pwd_extop resets the passwordExpirationTime attribute
with the value “19700101000000Z” which begins another iteration of the loop.
Hi,
can you send your sssd.conf?
bye,
Sumit
Is this even the right list to ask questions about this problem?
Is this a bug in the plugin or is there some good reason why it replaces the
passwordExpirationTime attribute with the value “19700101000000Z”?
Maybe one solution is to turn set "passwordExp: off" in "cn=config",
but then we can have account expiration with SSSD-LDAP clients.
I'd appreciate your ideas. Many Thanks,
CP
Chris Paul
Rex Consulting, Inc
5652 Florence Terrace, Oakland, CA 94611
email: chris.paul(a)rexconsulting.net
web: [
http://www.rexconsulting.net/ |
http://www.rexconsulting.net ]
phone, toll-free: +1 (888) 403-8996 ext 1
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...