LDAP/SSSD with password policy overlays: possible to completely lock out accounts?
 

I am running OpenLDAP version 2.4 with the password policy overlay turned on. This appears to be working well, and I can set a policy that users can change their passwords every N days. However, one a password expires, the system will still accept it, but the user will be immediately prompted to change it. For various reasons, I would prefer that the account just be locked out. Is there any way to accomplish this? Most of the clients are Scientific Linux (RHEL clone) with a few Ubuntu boxes mixed in too. I'm interacting with the LDAP server via SSSD rather than nslcd or similar.

That's a server-side configuration. You need to change the password policy configuration on the server so that it provides no grace period on the password expiration. Then the client will simply deny access.

Thanks, I'll give that a shot!

password polices using Password Policy Overlay
 

Hi,

I have configured password polices using Password Policy Overlay and i am able to login via ldap with pwpolicies in Centos and windows xp machines.

The only issue is i am not getting any massage when my account is locked or password expires or password expiry warning or password must change.
The only massage i receive is authentication failure..

Could you help on the above issue..

Thanks
Sunil Tumma

Please include your (sanitized) sssd.conf when asking questions like this, as it makes it much easier to diagnose configuration issues.

At a guess, I'd suspect that you need to add

access_provider = ldap
ldap_access_order = expire



Of course, I have no idea what version of SSSD you're running, or on what OS, so it's entirely possible you're running a version too old to support this. I think it was added in SSSD 1.3.x. The current supported versions upstream are SSSD 1.8.x and SSSD 1.9.x.