Re: OpenLDAP with ppolicy and SSSD configuration question.
On 27/11/2013 20:51, Michael Ströder wrote:
Viviano, Brad wrote:
> I can't foresee a time I would want a user to just disappear entirely from
> a system because their password is locked. I don't want locked users to be
> invisible, I want them to be locked so they can't login.
Gee, can't you read about ACLs *before* responding like that.
You don't have to make them invisible like I do. You can also just lock auth
access to 'userPassword'.
Changing access to userPassword, whether by ACL or by modifying the
attribute value itself, doesn't have any effect when the user has a SSH
key because LDAP is not involved in authentication.
There's no clean way to deal with this in my opinion. In the past I've
modified accounts' shell attribute to prevent logins at the point
they're determined to be disabled, and put back when the account is
deemed unlocked.
Modifying the shell is useless for non-Unix systems though (web
applications for example).
Now I use a custom 'lock' attribute on all accounts and use a LDAP
filter at the client end. This is fine for our purposes but could be a
problem for appliances that don't provide much in the way of LDAP
configuration options.
--
Liam Gretton liam.gretton(a)le.ac.uk
HPC Architect http://www.le.ac.uk/its/
IT Services Tel: +44 (0)116 2522254
University Of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom