On 06/26/2017 10:16 AM, Mitch Patenaude wrote:
I'm trying to migrate my organization of FDS, but policy requires a 90 day password expiration, and pam_ldap modules aren't forcing password changes even after the password expired.
As far as I know, pam_ldap doesn't use passwordExpirationTime, it only uses the shadow* attributes.
If you're using a recent version of 389-ds, those attributes should be calculated based on your policy. What version are you running? How did you configure your password policy?
(It should also be noted that sssd is a much better choice than pam_ldap and nss_ldap. Those modules cannot determine network availability or LDAP availability, and can create extremely long delays booting systems. Don't use them.)
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
