Thank you Lukas.

In our environment  we only expose ldap read-only consumers and password changes are done using a custom in-house application in php that is accessing one of the providers in write mode. When a user changes password, I found out that slapd will generate pwdChangedTime non-modifiable system attribute on master so I'm not sure if that will get replicated to the exposed consumers. We also have daily encrypted backups of the tree for emergency cases where we might to perform a restore. But if we do then we loose the pwdChangedTime attribute.

In lieu of this I have abandoned the idea of using password policies and instead went with account expiration since access to production is controlled by a set of servers and sssd can enforce account expiration using shadowExpire ldap attribute.

For posterity the config looks like:

[pam]
 .....
 pam_pwd_expiration_warning = 21
 pam_account_expired_message = Account expired, please use selfservice portal to change your password and extend account.
[domain/LDAP]
 ....
 # SET Account expiration to shadowAccount
 ldap_account_expire_policy = shadow
# SET Password expiration to none
 ldap_pwd_policy = none
# SET access verification to ldap filter then check shadow account expiration
 ldap_access_order = filter, expire
ldap_chpass_update_last_change = false
# SET attribute. Redundant, It is default
 ldap_user_shadow_expire   = shadowExpire
 # shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo $(($(date --utc --date "$1" +%s)/86400))
Thank you

On 12/07/2015 01:20 AM, Lukas Slebodnik wrote:
On (03/12/15 20:24), Mario Rossi wrote:

Hi,

We have the need to add password (not account) expiration in ldap and I
see that sssd supports pwd policies. What's the recommended way of
achieving password expiration keeping in mind the following:

* currently there are no shadow attributes defined ( all users have
shadowAccount objectclass but no attrs like shadowExpire / shadowMin /
shadowMax )
* upon the user logging in , if password is going to expire in a few
days, display a message to the user ( pam_account_expired_message ,
pam_pwd_expiration_warning ? )
* is sssd-1.12.4-47 rpm recommended or better sssd-1.12.5-3

Default version in el6.7 already contians
lockout and ppolicy options in ldap_access_order
but it semms you want to use only "expire" which is available
also in older versions of sssd.


<https://copr-be.cloud.fedoraproject.org/results/lslebodn/sssd-1-12/epel-6-x86_64/sssd-1.12.5-3.fc21/>?

I found out the hard way that I need to define shadowExpire to -1
otherwise users get rejected with 'account has expired' message in sssd
debug mode but perhaps my settings are wrong. What shadow attributes
does sssd look for in the openldap tree ?


[pam]
...
pam_pwd_expiration_warning = 21
pam_account_expired_message = Account/password expired, please use
selfservice portal to change your password and extend account.


[domain/LDAP]
...
# Account expiration
ldap_account_expire_policy = shadow

# Password expiration
#ldap_pwd_policy = none
ldap_pwd_policy = shadow
ldap_pwdlockout_dn = cn=default,ou=policies,o=Hostopia,dc=hostopia,dc=com
ldap_access_order = filter, expire

pwd_expiration_warning = 21
...

Seems that I should be looking at src/providers/ldap/ldap_opts.h &
src/providers/ldap/sdap.h .

looking to the manual page sssd-ldap should be ehough.

LS
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org