I am having a problem with the ipa_pwd_extop plugin when using sssd-ldap with FreeIPA (all providers set to “ldap"). If a user changes their password, they get stuck a password expiration loop where each login or sudo forces a password reset. This happens only with sssd-ldap clients using LDAP providers. It is not a problem for a regular IPA client. One related customization that I have made to the 389DS which is part of FreeIPA. I set "passwordExp: on" in "cn=config". This causes 389DS to interpret passwordExpirationTime  and is documented here: https://directory.fedoraproject.org/docs/389ds/design/password-controls.html.

Some more details: It seems to be that if the ipa_pwd_extop plugin is enabled, a user password reset using SSSD-LDAP triggers an replace of the passwordExpirationTime attribute with the value “19700101000000Z”. Whenever passwordExpirationTime is “19700101000000Z” (admin reset), 389DS returns "Server is unwilling to perform (53)” for any BINDs. SSSD-LDAP interprets this as an expired password, which forces a password reset (with "ldap_access_order = pwd_expire_policy_renew, filter” set in /etc/sssd/sssd.conf). When the password is reset, the ipa_pwd_extop resets the passwordExpirationTime attribute with the value “19700101000000Z” which begins another iteration of the loop.

Is this even the right list to ask questions about this problem?
Is this a bug in the plugin or is there some good reason why it replaces the passwordExpirationTime attribute with the value “19700101000000Z”?

Maybe one solution is to turn set "passwordExp: off" in "cn=config", but then we can have account expiration with SSSD-LDAP clients.

I'd appreciate your ideas. Many Thanks,

CP