13.2.17. Domain Options: Setting Password Expirations
pam_pwd_expiration_warningparameter defines the global default setting for all domains on how far in advance of the password expiration to display a warning. This is set for the PAM service.
pwd_expiration_warningparameter defines the per-domain setting on how far in advance of the password expiration to display a warning.When using a domain-level password expiration warning, an authentication provider (
auth_provider) must also be configured for the domain.
[sssd] services = nss,pam ... [pam] pam_pwd_expiration_warning = 3 ... [domain/EXAMPLE] id_provider = ipa auth_provider = ipa pwd_expiration_warning = 7
0, then the SSSD password warning filter is not applied and the server-side password warning is automatically displayed.
Password Expiration Warnings for Non-Password Authentication
- Make sure the
access_providerparameter is set to
- Make sure the
ldap_pwd_policyparameter is set in
sssd.conf. In most situations, the appropriate value is
- Add one of the following
pwd_expire_*values to the
sssd.conf. If the password is about to expire, each one of these values only displays the expiration warning. In addition:
pwd_expire_policy_rejectprevents the user from logging in if the password is already expired.
pwd_expire_policy_warnallows the user to log in even if the password is already expired.
pwd_expire_policy_renewprompts the user to immediately change the password if the user attempts to log in with an expired password.
[domain/EXAMPLE] access_provider = ldap ldap_pwd_policy = shadow ldap_access_order = pwd_expire_policy_warn
ldap_access_orderand its values, see the sssd-ldap(5) man page.