LDAP/SSSD with password policy overlays: possible to completely lock out accounts?
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
LDAP/SSSD with password policy overlays: possible to completely lock out accounts?
I am running OpenLDAP version 2.4 with the password policy overlay turned on. This appears to be working well, and I can set a policy that users can change their passwords every N days. However, one a password expires, the system will still accept it, but the user will be immediately prompted to change it. For various reasons, I would prefer that the account just be locked out. Is there any way to accomplish this? Most of the clients are Scientific Linux (RHEL clone) with a few Ubuntu boxes mixed in too. I'm interacting with the LDAP server via SSSD rather than nslcd or similar.
That's a server-side configuration. You need to change the password policy configuration on the server so that it provides no grace period on the password expiration. Then the client will simply deny access.
I have configured password polices using Password Policy Overlay and i am able to login via ldap with pwpolicies in Centos and windows xp machines.
The only issue is i am not getting any massage when my account is locked or password expires or password expiry warning or password must change.
The only massage i receive is authentication failure..
Please include your (sanitized) sssd.conf when asking questions like this, as it makes it much easier to diagnose configuration issues.
At a guess, I'd suspect that you need to add
access_provider = ldap
ldap_access_order = expire
Of course, I have no idea what version of SSSD you're running, or on what OS, so it's entirely possible you're running a version too old to support this. I think it was added in SSSD 1.3.x. The current supported versions upstream are SSSD 1.8.x and SSSD 1.9.x.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.