Setting Password Expiry
How Password Expiry Warnings Work in SSSD
Server-side password policies, defined in the identity provider, often set an expiration time when users must replace their passwords. You can configure SSSD to process password expiration warnings sent by the server and display them to users on the local system.
Note that:
-
The password expiration warning must be sent from the server to SSSD for the warning to be displayed. If no password warning is sent from the server, SSSD does not display any message.
-
If the password expiration warning is not set in SSSD or is set to zero (0), the SSSD password warning filter is not applied. In this situation, the server-side password warning is displayed.
-
The PAM or domain password expiration settings override the password warning settings on the back end identity provider. For example:
-
The identity provider issues a password expiration warning 28 days before the password expires, but the value is set to 7 days in SSSD.
-
The provider sends the warning to SSSD starting at 28 days before the password expires, but SSSD displays the warning locally 7 days before the password expires.
-
Configuring Password Expiry Warnings in SSSD
-
Open the
/etc/sssd/sssd.conf
file. -
Configure the PAM service to work with SSSD. See the System-Level Authentication Guide.
-
To define when SSSD displays the warning, specify a number of days before the password expiry:
-
To define the option globally for all domains, add
pam_pwd_expiration_warning
to the[pam]
section ofsssd.conf
. -
To define the option individually for a particular domain, add
pwd_expiration_warning
to the corresponding domain section ofsssd.conf
.Note that in this case, an authentication provider must also be configured for the domain in the
auth_provider
option. See the System-Level Authentication Guide for details on configuring authentication providers.
-
For example, to configure SSSD display a password expiry warning 7 days before the password expires for the LDAP domain:
[sssd]
services = nss,pam
[... file truncated ...]
[domain/LDAP]
[... file truncated ...]
auth_provider = ldap
pwd_expiration_warning = 7
For details, see the descriptions for pam_pwd_expiration_warning
and pwd_expiration_warning
in the sssd.conf(5) man page.
Comments