Michael, I can't foresee a time I would want a user to just disappear entirely from a system because their password is locked. I don't want locked users to be invisible, I want them to be locked so they can't login. I still want NSS to know the users exist so when someone does an 'ls -l' it doesn't just list numbers for them or if they need to query email or phone number, it's still available. There are a lots of reasons I can think why I need to lock an account to prevent a user from logging into a given system, none that I can think of where I would want to user to 100% disappear because their account is locked.
I understand how ACL's work and I don't see changing ACL's as a solution to this problem. My RHEL admin's won't take kindly to me just making users disappear on the their systems because their account is locked, they're funny that way. They'd rather a message showed in syslog that says user X is locked when the user tries to log in so they see it.
Thanks, -Brad
=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.gov
________________________________________ From: Michael Ströder michael@stroeder.com Sent: Wednesday, November 27, 2013 1:10 PM To: Viviano, Brad; openldap-technical@openldap.org Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
Adjusting ACL's seems like overkill for this situation and I have to work within the bounds of what sssd offers.
I'm doing this with sssd and it's definitely not overkill => there's no valid excuse to not learn about ACLs
And it does not only work for applications/clients which support a custom name-your-favourite-vendor-specific-lock-attribute-here. If done right ACLs simply make entries invisible for sssd or *every* application integrated with your LDAP server.
Ciao, Michael.