Good Afternoon William, I have more ideas today although I still don't know the how to get it to work. On a ldap client, I use sssd as caching service. sssd.conf domain section configuration has a parameter - ldap_access_order, if not giving a value, by default, it'll be 'permit', which means permits access even though password has expired. I have seen below in my /var/log/secure log file: Jun 13 23:10:07 dclientdev1 sshd[5337]: pam_sss(sshd:auth): received for user xinhuan: 12 (Authentication token is no longer valid; new one required) Immediately after: Jun 13 23:10:07 dclientdev1 sshd[5337]: Accepted password for xinhuan from ::1 port 41315 ssh2 I changed it to 'ldap_access_order = expire' and add another parameter "ldap_pwd_policy = shadow". However, it can't authenticate at all since the shadow line means the LDAP client needs to access shadowAccount information, like: shadowLastChange shadowExpire shadowMin shadowMax ... My LDAP entry is configured with "shadowAccount". I added those attributes too. However, the LDAP client can't see my shadow information. If I ran 'getent shadow root', I got output just like the entry in /etc/shadow file, when I ran 'getent shadow xinhuan', I get nothing. I am not sure if that's the right direction to diagnose problems. - xinhuan -- 389-users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
