7:24 p.m.
Hi,
We have the need to add password (not account) expiration in ldap and I
see that sssd supports pwd policies. What's the recommended way of
achieving password expiration keeping in mind the following:
* currently there are no shadow attributes defined ( all users have
shadowAccount objectclass but no attrs like shadowExpire / shadowMin /
shadowMax )
* upon the user logging in , if password is going to expire in a few
days, display a message to the user ( pam_account_expired_message ,
pam_pwd_expiration_warning ? )
* is sssd-1.12.4-47 rpm recommended or better sssd-1.12.5-3
<https://copr-be.cloud.fedoraproject.org/results/lslebodn/sssd-1-12/epel-6...
I found out the hard way that I need to define shadowExpire to -1
otherwise users get rejected with 'account has expired' message in sssd
debug mode but perhaps my settings are wrong. What shadow attributes
does sssd look for in the openldap tree ?
[pam]
...
pam_pwd_expiration_warning = 21
pam_account_expired_message = Account/password expired, please use
selfservice portal to change your password and extend account.
[domain/LDAP]
...
# Account expiration
ldap_account_expire_policy = shadow
# Password expiration
#ldap_pwd_policy = none
ldap_pwd_policy = shadow
ldap_pwdlockout_dn = cn=default,ou=policies,o=Hostopia,dc=hostopia,dc=com
ldap_access_order = filter, expire
pwd_expiration_warning = 21
...
Seems that I should be looking at src/providers/ldap/ldap_opts.h &
src/providers/ldap/sdap.h .
Thank you,
Mario Rossi
12:20 a.m.
On (03/12/15 20:24), Mario Rossi wrote:
Hi,
We have the need to add password (not account) expiration in ldap and I
see that sssd supports pwd policies. What's the recommended way of
achieving password expiration keeping in mind the following:
* currently there are no shadow attributes defined ( all users have
shadowAccount objectclass but no attrs like shadowExpire / shadowMin /
shadowMax )
* upon the user logging in , if password is going to expire in a few
days, display a message to the user ( pam_account_expired_message ,
pam_pwd_expiration_warning ? )
* is sssd-1.12.4-47 rpm recommended or better sssd-1.12.5-3
Default version in el6.7
already contians
lockout and ppolicy options in ldap_access_order
but it semms you want to use only "expire" which is available
also in older versions of sssd.
<https://copr-be.cloud.fedoraproject.org/results/lslebodn/sssd-1-12/epel-6...
I found out the hard way that I need to define shadowExpire to -1
otherwise users get rejected with 'account has expired' message in sssd
debug mode but perhaps my settings are wrong. What shadow attributes
does sssd look for in the openldap tree ?
[pam]
...
pam_pwd_expiration_warning = 21
pam_account_expired_message = Account/password expired, please use
selfservice portal to change your password and extend account.
[domain/LDAP]
...
# Account expiration
ldap_account_expire_policy = shadow
# Password expiration
#ldap_pwd_policy = none
ldap_pwd_policy = shadow
ldap_pwdlockout_dn = cn=default,ou=policies,o=Hostopia,dc=hostopia,dc=com
ldap_access_order = filter, expire
pwd_expiration_warning = 21
...
Seems that I should be looking at src/providers/ldap/ldap_opts.h &
src/providers/ldap/sdap.h .
looking to the manual page sssd-ldap should be ehough.
LS
8:40 a.m.
Thank you Lukas.
In our environment we only expose ldap read-only consumers and password
changes are done using a custom in-house application in php that is
accessing one of the providers in write mode. When a user changes
password, I found out that slapd will generate pwdChangedTime
non-modifiable system attribute on master so I'm not sure if that will
get replicated to the exposed consumers. We also have daily encrypted
backups of the tree for emergency cases where we might to perform a
restore. But if we do then we loose the pwdChangedTime attribute.
In lieu of this I have abandoned the idea of using password policies and
instead went with account expiration since access to production is
controlled by a set of servers and sssd can enforce account expiration
using shadowExpire ldap attribute.
For posterity the config looks like:
[pam]
.....
pam_pwd_expiration_warning = 21
pam_account_expired_message = Account expired, please use selfservice
portal to change your password and extend account.
[domain/LDAP]
....
# SET Account expiration to shadowAccount
*ldap_account_expire_policy = shadow*
# SET Password expiration to none
*ldap_pwd_policy = none*
# SET access verification to ldap filter then check shadow account
expiration
*ldap_access_order *= filter, *expire*
ldap_chpass_update_last_change = false
# SET attribute. Redundant, It is default
ldap_user_shadow_expire = shadowExpire
# shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo
$(($(date --utc --date "$1" +%s)/86400))
Thank you
On 12/07/2015 01:20 AM, Lukas Slebodnik wrote:
On (03/12/15 20:24), Mario Rossi wrote:
> Hi,
>
> We have the need to add password (not account) expiration in ldap and I
> see that sssd supports pwd policies. What's the recommended way of
> achieving password expiration keeping in mind the following:
>
> * currently there are no shadow attributes defined ( all users have
> shadowAccount objectclass but no attrs like shadowExpire / shadowMin /
> shadowMax )
> * upon the user logging in , if password is going to expire in a few
> days, display a message to the user ( pam_account_expired_message ,
> pam_pwd_expiration_warning ? )
> * is sssd-1.12.4-47 rpm recommended or better sssd-1.12.5-3
Default version in el6.7 already contians
lockout and ppolicy options in ldap_access_order
but it semms you want to use only "expire" which is available
also in older versions of sssd.
>
<https://copr-be.cloud.fedoraproject.org/results/lslebodn/sssd-1-12/epel-6...
>
> I found out the hard way that I need to define shadowExpire to -1
> otherwise users get rejected with 'account has expired' message in sssd
> debug mode but perhaps my settings are wrong. What shadow attributes
> does sssd look for in the openldap tree ?
>
>
> [pam]
> ...
> pam_pwd_expiration_warning = 21
> pam_account_expired_message = Account/password expired, please use
> selfservice portal to change your password and extend account.
>
>
> [domain/LDAP]
> ...
> # Account expiration
> ldap_account_expire_policy = shadow
>
> # Password expiration
> #ldap_pwd_policy = none
> ldap_pwd_policy = shadow
> ldap_pwdlockout_dn = cn=default,ou=policies,o=Hostopia,dc=hostopia,dc=com
> ldap_access_order = filter, expire
>
> pwd_expiration_warning = 21
> ...
>
> Seems that I should be looking at src/providers/ldap/ldap_opts.h &
> src/providers/ldap/sdap.h .
looking to the manual page sssd-ldap should be ehough.
LS
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
3056
days inactive
3059
days old
sssd-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Lukas Slebodnik -
Mario Rossi