I have been able to configure authentication, sudo, password change and first time login password change on Linux via LDAP and its working fine.

We have used shadow attributes on LDAP for password policy and shadowLastChange is getting updated after passwd on linux.

shadowMax has been set to 30 and shadowWarning to 7. The problem is even if user has gone past expiry window login is going through fine without any warning. It is expected to present a warning that password has expired change it now.

My sssd.conf looks like
[sssd]
config_file_version = 2
services = nss, sudo, pam, autofs
domains = default

[nss]
filter_users = root

[pam]
pam_pwd_expiration_warning = 7

[domain/default]
auth_provider = ldap
id_provider = ldap
sudo_provider = ldap
access_provider = ldap
ldap_search_base = dc=xyz,dc=xyz
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldaps://***
ldap_network_timeout = 3
ldap_access_filter = ismemberof=***
ldap_pwd_policy = shadow
pwd_expiration_warning = 7
ldap_chpass_update_last_change = True
ldap_default_bind_dn = cn=Directory Manager
ldap_default_authtok_type = password
ldap_default_authtok = ****
enumerate = True
krb5_server = kerberos.example.com
autofs_provider = ldap
krb5_realm = EXAMPLE.COM
ldap_schema = rfc2307bis
cache_credentials = True
debug_level = 9
[autofs]

Account expiry is working fine if I add shadowExpire on LDAP but we dont want account to expire and aim is to get a warning message on linux machine when password expires.

nssswitch.conf has sss for passwd, shadow.

I am not sure where the problem lies, but suspect that it is in the ldap/local interface or ldap design. The company I worked for between 2006 and 2016 used ldap, and every password expiry came almost without warning (we set calendar alerts) and the passwords had to be reset at ldap by the noc team.

If there is a solution, I want a copy!

5
down vote
favorite
4
Nice to meet you.

I have used the chage command in Linux to set the password expiration date for a user.

When the expiration date approaches, I want to notify the user automatically.

This is how I imagine it should happen:

check daily to determine if the password is about to expire
If the password has more than 11 days left, do nothing
If the password has 10 or fewer days left, send a notification email to the user

Ethan Stark

Its a good interim solution to create a script which sends notification. But since Linux already has mechanism in place to alert user while login I am looking for option to redirect the same to LDAP.

While login is user uses expired password a notification should come to change password when logging in.