LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-19-2012, 11:08 PM   #1
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,118

Rep: Reputation: 315Reputation: 315Reputation: 315Reputation: 315
LDAP/SSSD with password policy overlays: possible to completely lock out accounts?


I am running OpenLDAP version 2.4 with the password policy overlay turned on. This appears to be working well, and I can set a policy that users can change their passwords every N days. However, one a password expires, the system will still accept it, but the user will be immediately prompted to change it. For various reasons, I would prefer that the account just be locked out. Is there any way to accomplish this? Most of the clients are Scientific Linux (RHEL clone) with a few Ubuntu boxes mixed in too. I'm interacting with the LDAP server via SSSD rather than nslcd or similar.
 
Old 03-20-2012, 08:12 AM   #2
sgallagh
LQ Newbie
 
Registered: Mar 2011
Posts: 26

Rep: Reputation: 12
That's a server-side configuration. You need to change the password policy configuration on the server so that it provides no grace period on the password expiration. Then the client will simply deny access.
 
1 members found this post helpful.
Old 03-22-2012, 04:58 PM   #3
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,118

Original Poster
Rep: Reputation: 315Reputation: 315Reputation: 315Reputation: 315
Thanks, I'll give that a shot!
 
Old 03-25-2013, 01:17 AM   #4
sunil.tumma123
LQ Newbie
 
Registered: Mar 2013
Posts: 1

Rep: Reputation: Disabled
password polices using Password Policy Overlay

Hi,

I have configured password polices using Password Policy Overlay and i am able to login via ldap with pwpolicies in Centos and windows xp machines.

The only issue is i am not getting any massage when my account is locked or password expires or password expiry warning or password must change.
The only massage i receive is authentication failure..

Could you help on the above issue..

Thanks
Sunil Tumma
 
Old 03-26-2013, 06:45 AM   #5
sgallagh
LQ Newbie
 
Registered: Mar 2011
Posts: 26

Rep: Reputation: 12
Please include your (sanitized) sssd.conf when asking questions like this, as it makes it much easier to diagnose configuration issues.

At a guess, I'd suspect that you need to add

access_provider = ldap
ldap_access_order = expire



Of course, I have no idea what version of SSSD you're running, or on what OS, so it's entirely possible you're running a version too old to support this. I think it was added in SSSD 1.3.x. The current supported versions upstream are SSSD 1.8.x and SSSD 1.9.x.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rhel6 sssd ldap for authentication and local files for userNumber (unix uid). mwd Linux - Enterprise 1 08-22-2011 07:14 AM
How to set the password policy and lockout policy bin_shell Linux - Security 4 03-24-2010 03:30 PM
Merging Linux local accounts with LDAP accounts Nortekman Linux - Server 1 05-03-2009 11:20 PM
PAM LDAP authentication password policy questions codeape Linux - Security 0 08-26-2008 02:10 AM
LDAP + PAM Password Policy. FragInHell Linux - Security 0 11-29-2007 10:16 PM


All times are GMT -5. The time now is 09:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration