This is for RHEL6.
Here is the issue: my users kept running into the instance when upon logging in, they were shown:
WARNING: Your password has expired.And then it automatically logs you out, which is expected behavior.
You must change your password now and login again!
Changing password for foouser.
However, when they login again (with the password that they just set), they are again presented with the same password expiration warning. This repeats ad infinitum.
When I check the OpenLDAP server, and ldapsearch for the user record, it does show that the password was changed by that user on the correct date.
The key bit that I seem to have missed: a setting in /etc/pam_ldap.conf You have to set the secure LDAP URI since SSSD password transmissions must be encrypted.
uri ldaps://10.9.8.7/This should match the URI specified in /etc/openldap/ldap.conf
URI ldaps://10.9.8.7/And the setting in /etc/sssd/sssd.conf
ldap_uri = ldaps://10.9.8.7/
And that fixed it.
I RTFMed: "sha512" is not an option for pam_password. This is to hash the password locally, before passing on to the LDAP server. The default is "clear", i.e. transmit the password in the clear to the LDAP server, and assume the LDAP server will hash if necessary. Another option is "crypt" which uses crypt(3).
pam_password cryptHowever, there does not seem to be a way to specify which hash algorithm is to be used.
I do not think this is a big issue because the connection to the LDAP server is encrypted, any way.
Why was this a surprise? Well, because in /etc/nsswitch.conf we specified sss as the source for the passwd, shadow, and group name services:
passwd: files sss
shadow: files sss
group: files sss
I.e., everything should be mediated through SSSD, and the SSSD config does have the correct URI.