I am having a problem with the ipa_pwd_extop plugin when using sssd-ldap with FreeIPA (all providers set to “ldap"). If a user changes their password, they get stuck a password expiration loop where each login or sudo forces a password reset. This happens only with sssd-ldap clients using LDAP providers. It is not a problem for a regular IPA client. One related customization that I have made to the 389DS which is part of FreeIPA. I set "passwordExp: on" in "cn=config". This causes 389DS to interpret passwordExpirationTime and is documented here: https://directory.fedoraproject.org/docs/389ds/design/password-controls.html. Some more details: It seems to be that if the ipa_pwd_extop plugin is enabled, a user password reset using SSSD-LDAP triggers an replace of the passwordExpirationTime attribute with the value “19700101000000Z”. Whenever passwordExpirationTime is “19700101000000Z” (admin reset), 389DS returns "Server is unwilling to perform (53)” for any BINDs. SSSD-LDAP interprets this as an expired password, which forces a password reset (with "ldap_access_order = pwd_expire_policy_renew, filter” set in /etc/sssd/sssd.conf). When the password is reset, the ipa_pwd_extop resets the passwordExpirationTime attribute with the value “19700101000000Z” which begins another iteration of the loop. Is this even the right list to ask questions about this problem? Is this a bug in the plugin or is there some good reason why it replaces the passwordExpirationTime attribute with the value “19700101000000Z”? Maybe one solution is to turn set "passwordExp: off" in "cn=config", but then we can have account expiration with SSSD-LDAP clients. I'd appreciate your ideas. Many Thanks, CP Chris Paul Rex Consulting, Inc 5652 Florence Terrace, Oakland, CA 94611 email: chris.paul(a)rexconsulting.net web: [ http://www.rexconsulting.net/ | http://www.rexconsulting.net ] phone, toll-free: +1 (888) 403-8996 ext 1