I am having a problem with sssd (1.9.2) and passwords expiration against IPA v.3.0.0-37. I have setup sssd to use IPA with LDAP not Kerberos since this is in EC2 and I don’t want to deal with assigning tickets to each ephemeral host. So far things are working great, with the one exception that due to IPA using “krbPasswordExpiration” instead of “shadowExpire” breaks the usage of expired passwords. I tried setting “ldap_pwd_policy = mit_kerberos”, which does allow expired passwords to be recognized, but then breaks the users ability to change passwords. I suspect it causes sssd to use al Kerberos code paths, which won’t work in this case. If anyone has any ideas on this I would appreciate and feedback. Thanks in advance.
example conf
[domain/LDAP] enumerate = true cache_credentials = True debug_level = 9
id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_schema = IPA
ldap_uri = ldaps://ipa-use-1b.ec2.example.net ldap_user_search_base = dc=example,dc=net ldap_id_use_start_tls = true tls_reqcert = demand ldap_tls_cacert = /etc/ipa/ca.crt
ldap_user_ssh_public_key = ipaSshPubKey #ldap_pwd_policy = shadow #ldap_user_shadow_expire = krbPasswordExpiration #ldap_pwd_policy = mit_kerberos
[sssd] services = nss, pam, ssh config_file_version = 2
domains = LDAP [nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
On 07/18/2014 04:25 PM, Lance Reed wrote:
I am having a problem with sssd (1.9.2) and passwords expiration against IPA v.3.0.0-37. I have setup sssd to use IPA with LDAP not Kerberos since this is in EC2 and I don’t want to deal with assigning tickets to each ephemeral host. So far things are working great, with the one exception that due to IPA using “krbPasswordExpiration” instead of “shadowExpire” breaks the usage of expired passwords. I tried setting “ldap_pwd_policy = mit_kerberos”, which does allow expired passwords to be recognized, but then breaks the users ability to change passwords. I suspect it causes sssd to use al Kerberos code paths, which won’t work in this case. If anyone has any ideas on this I would appreciate and feedback. Thanks in advance.
example conf
[domain/LDAP] enumerate = true cache_credentials = True debug_level = 9
id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_schema = IPA
ldap_uri = ldaps://ipa-use-1b.ec2.example.net ldap_user_search_base = dc=example,dc=net ldap_id_use_start_tls = true tls_reqcert = demand ldap_tls_cacert = /etc/ipa/ca.crt
ldap_user_ssh_public_key = ipaSshPubKey
Are you using SSH keys to log in? If yes then this might be relevant https://fedorahosted.org/sssd/ticket/2167 But based on your description I doubt.
What is the expectoration of usage of the expired password? It is expired and needs to be changed. Can you put debug_level = 10 into SSSD config and get the sssd logs so we can see what is going on while you are trying to change it?
#ldap_pwd_policy = shadow #ldap_user_shadow_expire = krbPasswordExpiration #ldap_pwd_policy = mit_kerberos
[sssd] services = nss, pam, ssh config_file_version = 2
domains = LDAP [nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac] _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Fri, Jul 18, 2014 at 04:25:05PM -0400, Lance Reed wrote:
I am having a problem with sssd (1.9.2) and passwords expiration against IPA v.3.0.0-37. I have setup sssd to use IPA with LDAP not Kerberos since this is in EC2 and I don’t want to deal with assigning tickets to each ephemeral host. So far things are working great, with the one exception that due to IPA using “krbPasswordExpiration” instead of “shadowExpire” breaks the usage of expired passwords. I tried setting “ldap_pwd_policy = mit_kerberos”, which does allow expired passwords to be recognized, but then breaks the users ability to change passwords. I suspect it causes sssd to use al Kerberos code paths, which won’t work in this case. If anyone has any ideas on this I would appreciate and feedback. Thanks in advance.
Interesting, the password change using id_provider=ldap works for me here (I used git head for the test, but I'm not aware of any huge changes related to LDAP password change since 1.9). I have one suggestion, see inline, if that doesn't work, can you attach sanitized logs of the [pam] responder and the [LDAP] backend?
example conf
[domain/LDAP] enumerate = true
I would suggest not using enumerate=true unless there is a reason. The cache lookups are then less predictable and SSSD can be slow with a large directory due to refreshing the whole database on startup.
cache_credentials = True debug_level = 9
id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_schema = IPA
ldap_uri = ldaps://ipa-use-1b.ec2.example.net ldap_user_search_base = dc=example,dc=net
I think the ldap_user_search_base is too wide. IPA has two parallel trees in which it stores users and groups - the "native" tree (cn=accounts,$BASE) used by SSSD and other modern clients and by default there is also the "compat" tree, used by legacy clients like nss_ldap or non-Linuxes. Your search base looks like it might span both trees and then some searches that are paranoid and check that only one result is returned might error our.
Can you try using: ldap_search_base = cn=accounts,dc=example,dc=net
ldap_id_use_start_tls = true tls_reqcert = demand ldap_tls_cacert = /etc/ipa/ca.crt
ldap_user_ssh_public_key = ipaSshPubKey #ldap_pwd_policy = shadow #ldap_user_shadow_expire = krbPasswordExpiration #ldap_pwd_policy = mit_kerberos
sssd-users@lists.fedorahosted.org
-
Dmitri Pal -
Jakub Hrozek -
Lance Reed