0

我已经将我们的一个 jumpservers 从 openldap/nscd 迁移到 sssd 客户端。服务器正在运行 Ubuntu 14.04 x64。除了一项非常重要的功能外,一切正常:当用户使用过期密码进行身份验证时,不会弹出密码重置对话框。我们在 ldap 服务器 (OpenLdap 2.4) 上设置了 90 天保留政策。在 /etc/sssd/sssd.conf 上使用不同的标志并没有带来预期的结果这里是 sssd.conf

# LDAP sssd config
[sssd]
debug_level = 8
domains = mydomain.local
config_file_version = 2
reconnection_retries = 3
services = nss, pam, ssh, sudo

[domain/mydomain.local]
debug_level = 8
cache_credentials = true
entry_cache_timeout = 600
ldap_search_base = dc=mydomain,dc=local
ldap_sudo_search_base = ou=SUDOers,dc=mydomain,dc=local
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = ldap
subdomain_homedir = /home/%d/%u
ldap_uri = ldaps://10.10.10.10
ldap_tls_reqcert = allow
account_cache_expiration = 7
ldap_schema = rfc2307
ldap_pwd_policy = shadow
ldap_chpass_update_last_change = true
pwd_expiration_warning = 0
reconnection_retries = 3
access_provider = simple
simple_allow_groups = Access_Jumpserver

[nss]
debug_level = 8
filter_groups = root
filter_users = backup,bin,daemon,Debian-exim,games,gnats,irc,list,lp,mail,man,messagebus,news,root,smmsp,smmta,sshd,sync,sys,syslog,uucp,uuidd
reconnection_retries = 3
enum_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
debug_level = 8
pam_verbosity = 8
reconnection_retries = 3
offline_credentials_expiration = 7
offline_failed_login_attempts = 5
offline_failed_login_delay = 15

[sudo]
debug_level = 8

我会很高兴这里有任何方向

4

1 回答 1

0

作为临时解决方案,我在从 /etc/bash.bashrc 调用的登录脚本中使用以下函数

calculate_pwd_age() {
 local MAX_AGE=90
 let "shdw_epoch = $(ldapsearch -x -LLL -H ldaps://10.0.0.1 "uid=${USER}" shadowLastChange | awk 'NR==2{print $2}')"
 let "today = $(date +'%s') / 86400"
 let "shdw_diff = ${today} - ${shdw_epoch}"
 if [[ ${shdw_diff} -ge ${MAX_AGE} ]]; then
   echo -e  "\nYour password has expired. Please change it right now:\n"
   sleep 2
   passwd
 fi
}
于 2020-04-24T17:05:31.227 回答