Le 21/05/2018 à 17:10, Net Warrior a écrit :
Hello When I force the expiration changing pwdMaxAge what I can see in the log is the following: ppolicy_bind: Entry uid=jdoe,ou=Users,dc=domain,dc=com has an expired password: 0 grace logins I test the login, I get two warning as configured but the user is never forced to change it and can login as usual, any hint on this?
Seems you are mixing OpenLDAP ppolicy and shadow policy.Anyway, if the OpenLDAP ppolicy has expired the password, you should not be able to log in, unless you set some cache or failback on local account.
You should test with ldapsearch or ldapwhoami command to understand the behavior of OpenLDAP ppolicy. Then you can configure pam/sssd to fit your needs.
-- Clément Oudot | Identity Solutions Manager Worteks | https://www.worteks.com