URL:
https://github.com/SSSD/sssd/pull/5928
Title: #5928: IPA: Add password expire warning
sumit-bose commented:
"""
@sumit-bose if there is a chance you can take a look at the code of
this PR and tell me if approach with hard coded options is OK in this case?
Hi,
using a hardcoded default is ok, but you only have to add
`LDAP_ACCESS_EXPIRE_POLICY_WARN`. Nevertheless it would be good if the IPA provider can
check `ldap_access_order` as well because I would expect that sooner or later someone will
ask to not only warn but reject the user which would be
`LDAP_ACCESS_EXPIRE_POLICY_DENY`.
Related to Alexey's question about #3635, currently the fix would be limited to IPA
users where `ldap_pwd_policy = mit_kerberos` applies. For AD users we currently do not
read or evaluate the `msDS-UserPasswordExpiryTimeComputed` attribute. So this attribute
should be added to the list of user attributes and a new e.g. `ldap_pwd_policy = ad`
should be added to evaluate it. For IPA an `ldap_pwd_policy = ipa` might be needed as well
since we might have to check IPA and AD users.
bye,
Sumit
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5928#issuecomment-1009843750