13.2.17. Domain Options: Setting Password Expirations
Password policies generally set an expiration time, after which passwords expire and must be replaced. Password expiration policies are evaluated on the server side through the identity provider, then a warning can be processed and displayed in SSSD through its PAM service.
There are two ways to display password expiration warnings:
- The
pam_pwd_expiration_warning
parameter defines the global default setting for all domains on how far in advance of the password expiration to display a warning. This is set for the PAM service. - The
pwd_expiration_warning
parameter defines the per-domain setting on how far in advance of the password expiration to display a warning.When using a domain-level password expiration warning, an authentication provider (auth_provider
) must also be configured for the domain.
For example:
[sssd] services = nss,pam ... [pam] pam_pwd_expiration_warning = 3 ... [domain/EXAMPLE] id_provider = ipa auth_provider = ipa pwd_expiration_warning = 7
The password expiration warning must be sent from the server to SSSD for the warning to be displayed. If no password warning is sent from the server, no message is displayed through SSSD, even if the password expiration time is within the period set in SSSD.
If the password expiration warning is not set in SSSD or is set to
0
, then the SSSD password warning filter is not applied and the server-side password warning is automatically displayed.
Note
As long as the password warning is sent from the server, the PAM or domain password expirations in effect override the password warning settings on the back end identity provider. For example, consider a back end identity provider that has the warning period set at 28 days, but the PAM service in SSSD has it set to 7 days. The provider sends the warning to SSSD starting at 28 days, but the warning is not displayed locally until 7 days, according to the password expiration set in the SSSD configuration.
Password Expiration Warnings for Non-Password Authentication
By default, password expiration is verified only if the user enters the password during authentication. However, you can configure SSSD to perform the expiration check and display the warning even when a non-password authentication method is used, for example, during SSH login.
To enable password expiration warnings with non-password authentication methods:
- Make sure the
access_provider
parameter is set toldap
in thesssd.conf
file. - Make sure the
ldap_pwd_policy
parameter is set insssd.conf
. In most situations, the appropriate value isshadow
. - Add one of the following
pwd_expire_*
values to theldap_access_order
parameter insssd.conf
. If the password is about to expire, each one of these values only displays the expiration warning. In addition:pwd_expire_policy_reject
prevents the user from logging in if the password is already expired.pwd_expire_policy_warn
allows the user to log in even if the password is already expired.pwd_expire_policy_renew
prompts the user to immediately change the password if the user attempts to log in with an expired password.
For example:[domain/EXAMPLE] access_provider = ldap ldap_pwd_policy = shadow ldap_access_order = pwd_expire_policy_warn
For more details on using
ldap_access_order
and its values, see the sssd-ldap(5) man page.