On Mon, Apr 18, 2016 at 12:54:48PM -0400, Steve Huston wrote: > Following instructions in > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-pwd-expiry.html > sort-of works to get this done, but I wonder if there's a better way > to do it. My goal is twofold: when users are created, they will be > required to have a krbPrincipalExpiration, and they should be denied > login if that date has passed; and users should be prompted to change > their password if krbPasswordExpiration has passed. It would be > beneficial to have warnings printed for at least password expiration, > but ideally account expiration, as well. These should be checked and > output if the user is using public key authentication as well as > passwords and GSSAPI. > > If I set 'access_provider = ldap' in sssd.conf, it seems to work (also > setting ldap_access_order to pwd_expire_policy_renew, and a filter > which I've yet to determine, otherwise all logins are rejected > anyway). My understanding from > https://fedorahosted.org/sssd/ticket/1227 is that HBAC will then fail > to work. Will other things, such as disabling the account, also fail? > What about password lockouts? > > Is there a better way to do this, for example one that keeps > access_provider set to ipa and consults IPA directly? Of course > doesn't help that I need to deal with this across multiple OSs (CentOS > 5 using LDAP explicitly, 6 and 7 using sssd)
Did you test that this actually fails with id_provider=ipa? I would assume the IPA KDC would kick you out and prompt for a new password.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
