Comment 5 for bug 1415545

I find this issue a bit curious. I certainly understand the reason not to make the pw hashes available to any and all SSSD clients – providing one has root access – as that is obviously inherently insecure.

However; since regular users are indeed able to change their passwords once logged in via 'passwd', as well as update their shadowLastChange value provided 'ldap_chpass_update_last_change = true' is set in sssd.conf, the question becomes how to trigger the password-change warning during login without reverting to actually setting 'ldap_pwd_policy = shadow' (unless that option is simply there for compatibility purposes, i.e, show the warning, then call a regular passwd change exec operation without involving passwd:chauthtok)

Or perhaps a slightly different approach; how to activate this behaviour using password-policy extended operation via sssd.conf? (the equivalent of setting 'pam_password exop' in ldap.conf)

There has to be a way to trigger just a password warning without making the whole hash available, provided shadowLastChange & shadowMax are available to be read on the client (which they are; at least in our setup, without exposing the hashes). There are undoubtedly many organizations with existing shadowLastChange values for all their users who would rather not perform intrusive changes to their ldap server setups to accomplish this.

Would certainly be interested in knowing whether anyone has made any progress getting this to work.