Setting Password Expiry

Updated -

How Password Expiry Warnings Work in SSSD

Server-side password policies, defined in the identity provider, often set an expiration time when users must replace their passwords. You can configure SSSD to process password expiration warnings sent by the server and display them to users on the local system.

Note that:

  • The password expiration warning must be sent from the server to SSSD for the warning to be displayed. If no password warning is sent from the server, SSSD does not display any message.

  • If the password expiration warning is not set in SSSD or is set to zero (0), the SSSD password warning filter is not applied. In this situation, the server-side password warning is displayed.

  • The PAM or domain password expiration settings override the password warning settings on the back end identity provider. For example:

    • The identity provider issues a password expiration warning 28 days before the password expires, but the value is set to 7 days in SSSD.

    • The provider sends the warning to SSSD starting at 28 days before the password expires, but SSSD displays the warning locally 7 days before the password expires.

Configuring Password Expiry Warnings in SSSD

  1. Open the /etc/sssd/sssd.conf file.

  2. Configure the PAM service to work with SSSD. See the System-Level Authentication Guide.

  3. To define when SSSD displays the warning, specify a number of days before the password expiry:

    1. To define the option globally for all domains, add pam_pwd_expiration_warning to the [pam] section of sssd.conf.

    2. To define the option individually for a particular domain, add pwd_expiration_warning to the corresponding domain section of sssd.conf.

      Note that in this case, an authentication provider must also be configured for the domain in the auth_provider option. See the System-Level Authentication Guide for details on configuring authentication providers.

For example, to configure SSSD display a password expiry warning 7 days before the password expires for the LDAP domain:

services = nss,pam

[... file truncated ...]

[... file truncated ...]
auth_provider = ldap
pwd_expiration_warning = 7

For details, see the descriptions for pam_pwd_expiration_warning and pwd_expiration_warning in the sssd.conf(5) man page.