13.2.17. Domain Options: Setting Password Expirations

Password policies generally set an expiration time, after which passwords expire and must be replaced. Password expiration policies are evaluated on the server side through the identity provider, then a warning can be processed and displayed in SSSD through its PAM service.
There are two ways to display password expiration warnings:
  • The pam_pwd_expiration_warning parameter defines the global default setting for all domains on how far in advance of the password expiration to display a warning. This is set for the PAM service.
  • The pwd_expiration_warning parameter defines the per-domain setting on how far in advance of the password expiration to display a warning.
    When using a domain-level password expiration warning, an authentication provider (auth_provider) must also be configured for the domain.
For example:
[sssd]
services = nss,pam
...

[pam]
pam_pwd_expiration_warning = 3
...

[domain/EXAMPLE]
id_provider = ipa
auth_provider = ipa
pwd_expiration_warning = 7
The password expiration warning must be sent from the server to SSSD for the warning to be displayed. If no password warning is sent from the server, no message is displayed through SSSD, even if the password expiration time is within the period set in SSSD.
If the password expiration warning is not set in SSSD or is set to 0, then the SSSD password warning filter is not applied and the server-side password warning is automatically displayed.

Note

As long as the password warning is sent from the server, the PAM or domain password expirations in effect override the password warning settings on the back end identity provider. For example, consider a back end identity provider that has the warning period set at 28 days, but the PAM service in SSSD has it set to 7 days. The provider sends the warning to SSSD starting at 28 days, but the warning is not displayed locally until 7 days, according to the password expiration set in the SSSD configuration.

Password Expiration Warnings for Non-Password Authentication

By default, password expiration is verified only if the user enters the password during authentication. However, you can configure SSSD to perform the expiration check and display the warning even when a non-password authentication method is used, for example, during SSH login.
To enable password expiration warnings with non-password authentication methods:
  1. Make sure the access_provider parameter is set to ldap in the sssd.conf file.
  2. Make sure the ldap_pwd_policy parameter is set in sssd.conf. In most situations, the appropriate value is shadow.
  3. Add one of the following pwd_expire_* values to the ldap_access_order parameter in sssd.conf. If the password is about to expire, each one of these values only displays the expiration warning. In addition:
    • pwd_expire_policy_reject prevents the user from logging in if the password is already expired.
    • pwd_expire_policy_warn allows the user to log in even if the password is already expired.
    • pwd_expire_policy_renew prompts the user to immediately change the password if the user attempts to log in with an expired password.
    For example:
    [domain/EXAMPLE]
    access_provider = ldap
    ldap_pwd_policy = shadow
    ldap_access_order = pwd_expire_policy_warn
    
For more details on using ldap_access_order and its values, see the sssd-ldap(5) man page.