13.2.17. Domain Options: Setting Password Expirations
Password policies generally set an expiration time, after which passwords expire and must be replaced. Password expiration policies are evaluated on the server side through the identity provider, then a warning can be processed and displayed in SSSD through its PAM service.
There are two ways to display password expiration warnings:
pam_pwd_expiration_warningparameter defines the global default setting for all domains on how far in advance of the password expiration to display a warning. This is set for the PAM service.
pwd_expiration_warningparameter defines the per-domain setting on how far in advance of the password expiration to display a warning.When using a domain-level password expiration warning, an authentication provider (
auth_provider) must also be configured for the domain.
[sssd] services = nss,pam ... [pam] pam_pwd_expiration_warning = 3 ... [domain/EXAMPLE] id_provider = ipa auth_provider = ipa pwd_expiration_warning = 7
The password expiration warning must be sent from the server to SSSD for the warning to be displayed. If no password warning is sent from the server, no message is displayed through SSSD, even if the password expiration time is within the period set in SSSD.
If the password expiration warning is not set in SSSD or is set to
0, then the SSSD password warning filter is not applied and the server-side password warning is automatically displayed.
As long as the password warning is sent from the server, the PAM or domain password expirations in effect override the password warning settings on the back end identity provider. For example, consider a back end identity provider that has the warning period set at 28 days, but the PAM service in SSSD has it set to 7 days. The provider sends the warning to SSSD starting at 28 days, but the warning is not displayed locally until 7 days, according to the password expiration set in the SSSD configuration.
Password Expiration Warnings for Non-Password Authentication
By default, password expiration is verified only if the user enters the password during authentication. However, you can configure SSSD to perform the expiration check and display the warning even when a non-password authentication method is used, for example, during SSH login.
To enable password expiration warnings with non-password authentication methods:
- Make sure the
access_providerparameter is set to
- Make sure the
ldap_pwd_policyparameter is set in
sssd.conf. In most situations, the appropriate value is
- Add one of the following
pwd_expire_*values to the
sssd.conf. If the password is about to expire, each one of these values only displays the expiration warning. In addition:
pwd_expire_policy_rejectprevents the user from logging in if the password is already expired.
pwd_expire_policy_warnallows the user to log in even if the password is already expired.
pwd_expire_policy_renewprompts the user to immediately change the password if the user attempts to log in with an expired password.
[domain/EXAMPLE] access_provider = ldap ldap_pwd_policy = shadow ldap_access_order = pwd_expire_policy_warn
For more details on using
ldap_access_orderand its values, see the sssd-ldap(5) man page.