[Freeipa-users] Account/password expirations
Jakub Hrozek
jhrozek at redhat.com
Tue Apr 19 15:57:04 UTC 2016
On Mon, Apr 18, 2016 at 12:54:48PM -0400, Steve Huston wrote:
> Following instructions in
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-pwd-expiry.html
> sort-of works to get this done, but I wonder if there's a better way
> to do it. My goal is twofold: when users are created, they will be
> required to have a krbPrincipalExpiration, and they should be denied
> login if that date has passed; and users should be prompted to change
> their password if krbPasswordExpiration has passed. It would be
> beneficial to have warnings printed for at least password expiration,
> but ideally account expiration, as well. These should be checked and
> output if the user is using public key authentication as well as
> passwords and GSSAPI.
>
> If I set 'access_provider = ldap' in sssd.conf, it seems to work (also
> setting ldap_access_order to pwd_expire_policy_renew, and a filter
> which I've yet to determine, otherwise all logins are rejected
> anyway). My understanding from
> https://fedorahosted.org/sssd/ticket/1227 is that HBAC will then fail
> to work. Will other things, such as disabling the account, also fail?
> What about password lockouts?
>
> Is there a better way to do this, for example one that keeps
> access_provider set to ipa and consults IPA directly? Of course
> doesn't help that I need to deal with this across multiple OSs (CentOS
> 5 using LDAP explicitly, 6 and 7 using sssd)
Did you test that this actually fails with id_provider=ipa? I would
assume the IPA KDC would kick you out and prompt for a new password..
More information about the Freeipa-users
mailing list