LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   LDAP/SSSD with password policy overlays: possible to completely lock out accounts? (http://www.linuxquestions.org/questions/linux-server-73/ldap-sssd-with-password-policy-overlays-possible-to-completely-lock-out-accounts-935395/)

btmiller 03-19-2012 11:08 PM

LDAP/SSSD with password policy overlays: possible to completely lock out accounts?
 
I am running OpenLDAP version 2.4 with the password policy overlay turned on. This appears to be working well, and I can set a policy that users can change their passwords every N days. However, one a password expires, the system will still accept it, but the user will be immediately prompted to change it. For various reasons, I would prefer that the account just be locked out. Is there any way to accomplish this? Most of the clients are Scientific Linux (RHEL clone) with a few Ubuntu boxes mixed in too. I'm interacting with the LDAP server via SSSD rather than nslcd or similar.

sgallagh 03-20-2012 08:12 AM

That's a server-side configuration. You need to change the password policy configuration on the server so that it provides no grace period on the password expiration. Then the client will simply deny access.

btmiller 03-22-2012 04:58 PM

Thanks, I'll give that a shot!

sunil.tumma123 03-25-2013 01:17 AM

password polices using Password Policy Overlay
 
Hi,

I have configured password polices using Password Policy Overlay and i am able to login via ldap with pwpolicies in Centos and windows xp machines.

The only issue is i am not getting any massage when my account is locked or password expires or password expiry warning or password must change.
The only massage i receive is authentication failure..

Could you help on the above issue..

Thanks
Sunil Tumma

sgallagh 03-26-2013 06:45 AM

Please include your (sanitized) sssd.conf when asking questions like this, as it makes it much easier to diagnose configuration issues.

At a guess, I'd suspect that you need to add

access_provider = ldap
ldap_access_order = expire



Of course, I have no idea what version of SSSD you're running, or on what OS, so it's entirely possible you're running a version too old to support this. I think it was added in SSSD 1.3.x. The current supported versions upstream are SSSD 1.8.x and SSSD 1.9.x.


All times are GMT -5. The time now is 11:20 AM.