我已经将我们的一个jumpservers从openldapnscd迁移到ssd客户端,服务器运行Ubuntu 14.04 x64.一切都很好,除了一个非常重要的功能。当用户用过期的密码认证时,密码重置对话框不会弹出。我们的ldap服务器(OpenLdap 2.4)设置了90天的保留策略。在etcsssdssd.conf中使用不同的标志并没有带来预期的结果这里是ssd.conf。
# LDAP sssd config
[sssd]
debug_level = 8
domains = mydomain.local
config_file_version = 2
reconnection_retries = 3
services = nss, pam, ssh, sudo
[domain/mydomain.local]
debug_level = 8
cache_credentials = true
entry_cache_timeout = 600
ldap_search_base = dc=mydomain,dc=local
ldap_sudo_search_base = ou=SUDOers,dc=mydomain,dc=local
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = ldap
subdomain_homedir = /home/%d/%u
ldap_uri = ldaps://10.10.10.10
ldap_tls_reqcert = allow
account_cache_expiration = 7
ldap_schema = rfc2307
ldap_pwd_policy = shadow
ldap_chpass_update_last_change = true
pwd_expiration_warning = 0
reconnection_retries = 3
access_provider = simple
simple_allow_groups = Access_Jumpserver
[nss]
debug_level = 8
filter_groups = root
filter_users = backup,bin,daemon,Debian-exim,games,gnats,irc,list,lp,mail,man,messagebus,news,root,smmsp,smmta,sshd,sync,sys,syslog,uucp,uuidd
reconnection_retries = 3
enum_cache_timeout = 300
entry_cache_nowait_percentage = 75
[pam]
debug_level = 8
pam_verbosity = 8
reconnection_retries = 3
offline_credentials_expiration = 7
offline_failed_login_attempts = 5
offline_failed_login_delay = 15
[sudo]
debug_level = 8
我很高兴在这里得到任何指导
作为一个临时的解决方案,我在登录脚本中使用以下功能,从etcbash.bashrc中调用。
calculate_pwd_age() {
local MAX_AGE=90
let "shdw_epoch = $(ldapsearch -x -LLL -H ldaps://10.0.0.1 "uid=${USER}" shadowLastChange | awk 'NR==2{print $2}')"
let "today = $(date +'%s') / 86400"
let "shdw_diff = ${today} - ${shdw_epoch}"
if [[ ${shdw_diff} -ge ${MAX_AGE} ]]; then
echo -e "\nYour password has expired. Please change it right now:\n"
sleep 2
passwd
fi
}