On Wed, Jan 15, 2020 at 10:59:34PM -0800, Chris Paul wrote:
Is it possible to use sssd-ldap (1.16.4-21, CentOS 7.7) with FreeIPA
server (4.6.5-11, CentOS 7.7) and have password policy (ldap_access_order=ppolicy) and
also account expiration (ldap_account_expire_policy = ipa)? It’s implied that IPA works as
why else would “ipa” be an option to ldap_account_expire_policy?
I’m trying this in my lab; can’t get it to work.
Also not perfectly clear from the manual is how to use pwd_expire_policy_reject,
pwd_expire_policy_warn, pwd_expire_policy_renew. In the manual, it is written: "Also
'ldap_pwd_policy' must be set to an appropriate password policy.”
What should ldap_pwd_policy be set to for an IPA server?
The docs also say, “for ldap_account_expire_policy=rhds, ipa, 389ds: use the value of
ldap_ns_account_lock to check if access is allowed or not.”
On my FreeIPA server, I don’t see the ldap_ns_account_lock attribute set for expired
accounts.
Hi,
'ldap_ns_account_lock' is referring to the SSSD config option
ldap_ns_account_lock (string)
When using ldap_account_expire_policy=rhds or equivalent,
this parameter determines if access is allowed or not.
Default: nsAccountLock
So please look for the nsAccountLock attribute on the IPA server.
HTH
bye,
Sumit
Either my reading is deficient or the documentation is. I’d be happy to contribute if I
understood. Does anyone have any tips?
thanks,
Chris Paul
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...