URL: https://github.com/SSSD/sssd/pull/5928 Title: #5928: IPA: Add password expire warning

Label: +Bugzilla

URL: https://github.com/SSSD/sssd/pull/5928 Title: #5928: IPA: Add password expire warning

elkoniu commented: """

Hi @elkoniu,

does this also resolve #3635 or is this PR IPA specific while that ticket is more general?

Hi @alexey-tikhonov , I will try to check this and post note here. """

See the full comment at https://github.com/SSSD/sssd/pull/5928#issuecomment-1009764036

URL: https://github.com/SSSD/sssd/pull/5928 Title: #5928: IPA: Add password expire warning

Label: -Waiting for review

URL: https://github.com/SSSD/sssd/pull/5928 Title: #5928: IPA: Add password expire warning

sumit-bose commented: """

@sumit-bose if there is a chance you can take a look at the code of this PR and tell me if approach with hard coded options is OK in this case?

Hi,

using a hardcoded default is ok, but you only have to add `LDAP_ACCESS_EXPIRE_POLICY_WARN`. Nevertheless it would be good if the IPA provider can check `ldap_access_order` as well because I would expect that sooner or later someone will ask to not only warn but reject the user which would be `LDAP_ACCESS_EXPIRE_POLICY_DENY`.

Related to Alexey's question about #3635, currently the fix would be limited to IPA users where `ldap_pwd_policy = mit_kerberos` applies. For AD users we currently do not read or evaluate the `msDS-UserPasswordExpiryTimeComputed` attribute. So this attribute should be added to the list of user attributes and a new e.g. `ldap_pwd_policy = ad` should be added to evaluate it. For IPA an `ldap_pwd_policy = ipa` might be needed as well since we might have to check IPA and AD users.

bye, Sumit """

See the full comment at https://github.com/SSSD/sssd/pull/5928#issuecomment-1009843750