Centrify DirectControl 5.2.3+ on all OS platformQuestion:
How to configure Centrify PAM module to check for password expiration before even attempting authentication?Answer:
Starting DirectControl 5.2.3 [Centrify Server 2015.1 release], a new PAM configurable option deny_pwexp is available to have Centrify PAM plugin check for password expiration before even attempting authentication
1. Edit /etc/pamd.d/system-auth
2. auth sufficient pam_centrifydc.so deny_pwexp
3. Restart adclient
This option is used by the ”auth” module in pam.conf. If this option is present, Centrify PAM plugin check for password expiration before even attempting authentication. If the password has expired, the authentication attempt will fail immediately without asking if the user wants to change the password. This is useful for web application where it is not possible to prompt the user to change passwords.
For more information, please see Centrify Server Suite 2015.1 Release Note:https://www.centrify.com/downloads/products/documentation/suite2015/2015.1-release-notes/DirectControl-Release-Notes.html