Re: sssd 2.6.3 and openldap 2.5.19 ppolicies

Le 25/01/2026 à 15:54, Felix Natter a écrit :

Dear openldap experts,

Hello,

my problem is that my ubuntu 22.04 systems do not honor password expirations (ppolicy/shadow) and ppolicy password complexities.

I tried to track this down with AI:

Bad idea.

• our server does not seem to advertise the OpenLDAP ppolicy control
• The ppolicy control OID that SSSD requires (only on Ubuntu, not on RH7) is: 1.3.6.1.4.1.42.2.27.9.5.1

This is indeed the official password policy control OID that you can find in the specification:

https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-11#n...

• But your server (OpenlDAP 2.5.19) advertises only these ppolicy‑related controls(?): (ldapsearch -x -H ldap://SERVER -s base -b "" "+") supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1

Did you load the ppolicy overlay in your OpenLDAP configuration?