On 6/26/17, 7:09 PM, "Gordon Messmer" <gordon.messmer@xxxxxxxxx> wrote:
> As far as I know, pam_ldap doesn't use passwordExpirationTime, it only
> uses the shadow* attributes.
It does respect them actually, I just had the server misconfigured.
> If you're using a recent version of 389-ds, those attributes should be
> calculated based on your policy. What version are you running? How did
> you configure your password policy?
The policy was configured using 389-console, and it seem that if you select the
option "User must change password after reset", then it doesn't enforce
expiration, at least that I's what I changed to make enforcement work.
> (It should also be noted that sssd is a much better choice than pam_ldap
> and nss_ldap. Those modules cannot determine network availability or
> LDAP availability, and can create extremely long delays booting
> systems. Don't use them.)
I just found out about sssd yesterday, and I'm looking into migrating.
Thanks for your help.
-- Mitch Patenaude
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
