[Freeipa-users] Account/password expirations
Steve Huston
huston at astro.princeton.edu
Mon Apr 18 16:54:48 UTC 2016
Following instructions in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-pwd-expiry.html
sort-of works to get this done, but I wonder if there's a better way
to do it. My goal is twofold: when users are created, they will be
required to have a krbPrincipalExpiration, and they should be denied
login if that date has passed; and users should be prompted to change
their password if krbPasswordExpiration has passed. It would be
beneficial to have warnings printed for at least password expiration,
but ideally account expiration, as well. These should be checked and
output if the user is using public key authentication as well as
passwords and GSSAPI.
If I set 'access_provider = ldap' in sssd.conf, it seems to work (also
setting ldap_access_order to pwd_expire_policy_renew, and a filter
which I've yet to determine, otherwise all logins are rejected
anyway). My understanding from
https://fedorahosted.org/sssd/ticket/1227 is that HBAC will then fail
to work. Will other things, such as disabling the account, also fail?
What about password lockouts?
Is there a better way to do this, for example one that keeps
access_provider set to ipa and consults IPA directly? Of course
doesn't help that I need to deal with this across multiple OSs (CentOS
5 using LDAP explicitly, 6 and 7 using sssd)
--
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
Princeton University | ICBM Address: 40.346344 -74.652242
345 Lewis Library |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
More information about the Freeipa-users
mailing list