Hello When I force the expiration changing pwdMaxAge what I can see in the log is the following:
ppolicy_bind: Entry uid=jdoe,ou=Users,dc=domain,dc=com has an expired password: 0 grace logins I test the login, I get two warning as configured but the user is never forced to change it and can login as usual, any hint on this? I was expecting something like this, this is from my old notes ( 2013 ) at that time it worked You are required to change your LDAP password immediately. Last login: Wed Feb 13 12:07:38 2013 from server.domain.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user pmorales. Enter login(LDAP) password: My sss configuration # sssd::config [sssd] domains = domain services = nss, pam, ssh, sudo config_file_version=2 [domain/zebra] # sssd::provider::ldap id_provider=ldap auth_provider=ldap chpass_provider=ldap ldap_uri=ldap://openldap.domain.com ldap_chpass_uri=ldap://openldap.domain.com ldap_search_base=dc=domain,dc=com ldap_tls_reqcert=never ldap_tls_cacert=/etc/openldap/cacerts/ca_certs.pem ldap_tls_cacertdir=/etc/openldap/cacerts ldap_id_use_start_tls=false ldap_user_search_base=ou=Users,dc=domain,dc=com ldap_group_search_base=ou=Groups,dc=domain,dc=com debug_level=6 ldap_sudo_search_base=cn=sudo,ou=Groups,dc=domain,dc=com ldap_chpass_update_last_change=true ldap_user_shadow_last_change=shadowLastChange ldap_pwd_policy=shadow nsswitch.conf passwd: files sss shadow: files sss group: files sss System-Auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_mkhomedir.so umask=0077 Password Auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_mkhomedir.so umask=0077 Thanks Regards 2018-05-10 11:45 GMT-03:00 Net Warrior <[email protected]>: > Hi > > From time to time I need to reset user passwords when they forget it so I > want to force them to change it when they connect over ssh, as long as I > remember this worked before, ( do not remember which openldap version it was > a long time ) anyway , how can I force user to change their passwords upon > ssh connection? or is not possible anymore? > > > Thanks > Regards > > > On 05/08/2018 09:25 AM, Clément OUDOT wrote: >> >> >> Le 03/05/2018 à 16:23, Net Warrior a écrit : >>> >>> Hello there guys, when setting the pwsReset to TRUE I cannot login to >>> the system anymore, just get the permission denied, then I found this. >>> >>> https://github.com/pwm-project/pwm/issues/155 >>> >>> Did I face that bug or maybe it's something else? >> >> >> It's not a bug. If pwdReset is set to TRUE, the BIND will be successful >> but you will not be allowed to do another operation but changing >> password. If your application is doing a SEARCH just after the BIND, you >> will be denied. >> >> >> >
