Hello everyone,

I am trying to get sssd configured with ldap but having a little bit of trouble. I can successfully authenticate and get all user information and all that basic jazz. However when I set pwdReset in the user's entry on our ldap sssd is not prompting the user to reset their password. It's obvious from the sssd log for the domain (part included below) that sssd sees the attribute in the password policy control but the message is not making it back to PAM.

I have also included the config for the domain including some of my attempts to figure out if this is a configuration issue. Am I missing a setting? Have I found a bug? Whats going on here?

- Seth

>>>> some Pertinent Versions
CentOS 6
sssd 1.12.2
openldap 2.4.39

>>>>>>>>>>>>>>>>>>>>>>>> auth-people log
[find_password_expiration_attributes] (0x4000): No password policy requested.
[simple_bind_send] (0x0100): Executing simple bind as: *****
[simple_bind_send] (0x2000): ldap simple bind sent, msgid = 2
[sdap_process_result] (0x2000): Trace: sh[0x136a340], connected[1], ops[0x1410460], ldap[0x1360050]
[sdap_process_result] (0x2000): Trace: ldap_result found nothing!
[sdap_process_result] (0x2000): Trace: sh[0x136a340], connected[1], ops[0x1410460], ldap[0x1360050]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]
[simple_bind_done] (0x2000): Server returned control [].
[simple_bind_done] (0x1000): Password Policy Response: expire [0] grace [-1] error [Password must be changed].
[simple_bind_done] (0x1000): Password was reset. User must set a new password.
[simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set
[auth_bind_user_done] (0x4000): Found ppolicy data, assuming LDAP password policies are active.
[sdap_handle_release] (0x2000): Trace: sh[0x136a340], connected[1], ops[(nil)], ldap[0x1360050], destructor_lock[0], release_memory[0]
[remove_connection_callback] (0x4000): Successfully removed connection callback.
[be_pam_handler_callback] (0x0100): Backend returned: (0, 12, <NULL>) [Success]
[be_pam_handler_callback] (0x0100): Sending result [12][auth-people]
[be_pam_handler_callback] (0x0100): Sent result [12][auth-people]

>>>>>>>>>>>>>>>>>>>>> sssd.conf section for the domain

ldap_uri = ************
ldap_user_search_base = ou=people,**********
ldap_group_search_base = ou=group,**********

ldap_id_use_start_tls = True
ldap_tls_cacert = /etc/sssd/ca-certificate.pem

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
selinux_provider = none

ldap_access_filter = (objectClass=posixAccount)
ldap_access_order = filter

debug_level = 0xFFF0

services = nss, pam
config_file_version = 2

domains = auth-people,auth-systemAccounts
debug = 0xFFF0

debug_level = 0xFFF0


debug_level = 0xFFF0
pam_verbosity = 2