sssd does not support to change the user’s password with "ldap_pwd_policy = shadow"
Issue
- sssd does not support to change the user’s password with "ldap_pwd_policy = shadow"
Sample:
$ cat /etc/sssd/sssd.conf
[domain/default]
autofs_provider = ldap
cache_credentials = False
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldapsrv1.example.com/ # openldap-servers without ppolicy.la
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
ldap_pwd_policy = shadow #
debug_level = 0xffffff
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
$ ssh testuser@localhost
testuser@localhost's password:
Password expired. Change your password now.
Last login: Tue Feb 13 16:07:24 2018 from ::1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user testuser.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation error
Connection to localhost closed.
/var/log/secure:
passwd: pam_sss(passwd:chauthtok): Password change failed for user testuser: 28 (Module is unknown)
/var/log/sssd_default.log with debug_level = 0x0020
[sssd[be[default]]] [sdap_pam_chpass_handler_auth_done] (0x0020): Changing shadow password attributes not implemented.
Environment
- Red Hat Enterprise Linux 7
- sssd
- openldap-servers without ppolicy.la
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Close
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.