I have more ideas today although I still don't know the how to get it to work. On a ldap client, I use sssd as caching service. sssd.conf domain section configuration has a parameter - ldap_access_order, if not giving a value, by default, it'll be 'permit', which means permits access even though password has expired. I have seen below in my /var/log/secure log file:
Jun 13 23:10:07 dclientdev1 sshd[5337]: pam_sss(sshd:auth): received for user xinhuan: 12 (Authentication token is no longer valid; new one required)
Immediately after:
Jun 13 23:10:07 dclientdev1 sshd[5337]: Accepted password for xinhuan from ::1 port 41315 ssh2
I changed it to 'ldap_access_order = expire' and add another parameter "ldap_pwd_policy = shadow". However, it can't authenticate at all since the shadow line means the LDAP client needs to access shadowAccount information, like:
shadowLastChange
shadowExpire
shadowMin
shadowMax
...
My LDAP entry is configured with "shadowAccount". I added those attributes too. However, the LDAP client can't see my shadow information. If I ran 'getent shadow root', I got output just like the entry in /etc/shadow file, when I ran 'getent shadow xinhuan', I get nothing.
I am not sure if that's the right direction to diagnose problems.
- xinhuan
--
389-users mailing list
389-users@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
No comments:
Post a Comment