Real, Elizabeth (392K) wrote:
This is my setup: I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent users with expired accounts to login: ldap_pwd_policy = shadow. This works as expected.
Use OpenLDAP's slapo-ppolicy instead! Using shadow account attributes is deprecated since years.
pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd pam_sss(passwd:chauthtok): Password change failed for user real: 28 (Module is unknown) Gkr-pam: couldn’t update the login keyring password: no old password was Entered
This sounds more like PAM and sssd related. So you should sort this out first - maybe by asking for specific issues on sssd-users mailing list.
In an attempt to allow users to change their ldap password, i edited my ACL on the ldap server and added 'shadowLastChange': [..] olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
Think twice! You should not do that because of security issues!
If you really insist on using shadow account attributes you have to use slapo-smbk5pwd to let slapd set them internally when receiving a Password Modify extended operation.
Ciao, Michael.