Dear openldap experts,
my problem is that my ubuntu 22.04 systems do not honor password expirations (ppolicy/shadow) and ppolicy password complexities.
I tried to track this down with AI:
* our server does not seem to advertise the OpenLDAP ppolicy control * The ppolicy control OID that SSSD requires (only on Ubuntu, not on RH7) is: 1.3.6.1.4.1.42.2.27.9.5.1
* But your server (OpenlDAP 2.5.19) advertises only these ppolicy‑related controls(?): (ldapsearch -x -H ldap://SERVER -s base -b "" "+") supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
* When using ldap_pwd_policy = ppolicy in /etc/sssd/sssd.conf, sssd crashes on startup
* this also does not work: ldap_pwd_policy = ppolicy ldap_ppolicy_compat = True
Is this train of thought anywhere close to useful?
Is there another reason why e.g. passwd(1) ignores password settings on Ubuntu 22.04?
Many Thanks and Best Regards, Felix
Le 25/01/2026 à 15:54, Felix Natter a écrit :
Dear openldap experts,
Hello,
my problem is that my ubuntu 22.04 systems do not honor password expirations (ppolicy/shadow) and ppolicy password complexities.
I tried to track this down with AI:
Bad idea.
- our server does not seem to advertise the OpenLDAP ppolicy control
- The ppolicy control OID that SSSD requires (only on Ubuntu, not on RH7) is: 1.3.6.1.4.1.42.2.27.9.5.1
This is indeed the official password policy control OID that you can find in the specification:
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-11#n...
- But your server (OpenlDAP 2.5.19) advertises only these ppolicy‑related controls(?): (ldapsearch -x -H ldap://SERVER -s base -b "" "+") supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
Did you load the ppolicy overlay in your OpenLDAP configuration?
Clément OUDOT clement.oudot@worteks.com writes:
Le 25/01/2026 à 15:54, Felix Natter a écrit :
Dear openldap experts,
Hello,
hello Clément,
my problem is that my ubuntu 22.04 systems do not honor password expirations (ppolicy/shadow) and ppolicy password complexities.
I tried to track this down with AI:
Bad idea.
probably :)
- our server does not seem to advertise the OpenLDAP ppolicy control
- The ppolicy control OID that SSSD requires (only on Ubuntu, not on RH7) is: 1.3.6.1.4.1.42.2.27.9.5.1
This is indeed the official password policy control OID that you can find in the specification:
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-11#n...
- But your server (OpenlDAP 2.5.19) advertises only these ppolicy‑related controls(?): (ldapsearch -x -H ldap://SERVER -s base -b "" "+") supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
Did you load the ppolicy overlay in your OpenLDAP configuration?
I do not have access to the the exact config right now, but both RH7 and ldap account manager pro can read and modify the ppolicies. The AI asked me to verify it with some ldapsearch command output and replied that the ppolicy overlay is loaded correctly (but that may be wrong ;)
Many Thanks and Best Regards, Felix
openldap-technical@openldap.org
-
Clément OUDOT -
Felix Natter