Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been able to configure authentication, sudo, password change and first time login password change on Linux via LDAP and its working fine.
We have used shadow attributes on LDAP for password policy and shadowLastChange is getting updated after passwd on linux.
shadowMax has been set to 30 and shadowWarning to 7. The problem is even if user has gone past expiry window login is going through fine without any warning. It is expected to present a warning that password has expired change it now.
My sssd.conf looks like
[sssd]
config_file_version = 2
services = nss, sudo, pam, autofs
domains = default
Account expiry is working fine if I add shadowExpire on LDAP but we dont want account to expire and aim is to get a warning message on linux machine when password expires.
I am not sure where the problem lies, but suspect that it is in the ldap/local interface or ldap design. The company I worked for between 2006 and 2016 used ldap, and every password expiry came almost without warning (we set calendar alerts) and the passwords had to be reset at ldap by the noc team.
I have used the chage command in Linux to set the password expiration date for a user.
When the expiration date approaches, I want to notify the user automatically.
This is how I imagine it should happen:
check daily to determine if the password is about to expire
If the password has more than 11 days left, do nothing
If the password has 10 or fewer days left, send a notification email to the user
Its a good interim solution to create a script which sends notification. But since Linux already has mechanism in place to alert user while login I am looking for option to redirect the same to LDAP.
While login is user uses expired password a notification should come to change password when logging in.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.