Real, Elizabeth (392K) wrote:
> This is my setup:
> I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent
> users with expired accounts to login: ldap_pwd_policy = shadow. This works as
> expected.
Use OpenLDAP's slapo-ppolicy instead!
Using shadow account attributes is deprecated since years.
> pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd
> pam_sss(passwd:chauthtok): Password change failed for user real: 28
> (Module is unknown)
> Gkr-pam: couldn’t update the login keyring password: no old password was
> Entered
This sounds more like PAM and sssd related. So you should sort this out first
- maybe by asking for specific issues on sssd-users mailing list.
> In an attempt to allow users to change their ldap password, i edited my ACL on
> the ldap server and added 'shadowLastChange':
> [..]
> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
Think twice! You should not do that because of security issues!
If you really insist on using shadow account attributes you have to use
slapo-smbk5pwd to let slapd set them internally when receiving a Password
Modify extended operation.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature