I am having a problem with the ipa_pwd_extop plugin when using sssd-ldap with FreeIPA (all
providers set to “ldap"). If a user changes their password, they get stuck a password
expiration loop where each login or sudo forces a password reset. This happens only with
sssd-ldap clients using LDAP providers. It is not a problem for a regular IPA client. One
related customization that I have made to the 389DS which is part of FreeIPA. I set
"passwordExp: on" in "cn=config". This causes 389DS to interpret
passwordExpirationTime and is documented here:
https://directory.fedoraproject.org/docs/389ds/design/password-controls.html.
Some more details: It seems to be that if the ipa_pwd_extop plugin is enabled, a user
password reset using SSSD-LDAP triggers an replace of the passwordExpirationTime attribute
with the value “19700101000000Z”. Whenever passwordExpirationTime is “19700101000000Z”
(admin reset), 389DS returns "Server is unwilling to perform (53)” for any BINDs.
SSSD-LDAP interprets this as an expired password, which forces a password reset (with
"ldap_access_order = pwd_expire_policy_renew, filter” set in /etc/sssd/sssd.conf).
When the password is reset, the ipa_pwd_extop resets the passwordExpirationTime attribute
with the value “19700101000000Z” which begins another iteration of the loop.
Is this even the right list to ask questions about this problem?
Is this a bug in the plugin or is there some good reason why it replaces the
passwordExpirationTime attribute with the value “19700101000000Z”?
Maybe one solution is to turn set "passwordExp: off" in "cn=config",
but then we can have account expiration with SSSD-LDAP clients.
I'd appreciate your ideas. Many Thanks,
CP
Chris Paul
Rex Consulting, Inc
5652 Florence Terrace, Oakland, CA 94611
email: chris.paul(a)rexconsulting.net
web: [
http://www.rexconsulting.net/ |
http://www.rexconsulting.net ]
phone, toll-free: +1 (888) 403-8996 ext 1