Howard, I understand what you are saying. It would of been nice if a generalized account locking method was included in the ppolicy or a similar overlay was available like other LDAP server implementations provide. But so be it. As others have suggested, I can spoof the same result, with some extra effort. I've added a schema extension called "accountLocked" which is a Boolean. If that is true, then sssd won't let the user login with either password or via SSH keys. Now, for the best way to implement that setting. I could write a perl script that queries every DN that has pwdAccountLockedTime and set the corresponding accountLocked to TRUE and run that from cron every 5 minutes, or something. But I thought I'd ask if someone could suggest a better way, something the slapd server could do already, with an overlay maybe, so I am not dependent on an external process to make this change.
Thanks, -Brad Viviano
=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.gov
________________________________________ From: Howard Chu hyc@symas.com Sent: Monday, November 25, 2013 1:38 PM To: Viviano, Brad; openldap-technical@openldap.org Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
Howard, I'm not expecting it to validate their password, I am expecting it to check
if their account is locked for some reason. If their account is locked in LDAP, it shouldn't let them login under any circumstances. For technical reasons we need ssh public keys to operate (IBM GPFS), but I don't want the user to be able to circumvent LDAP authority. If I lock their account in LDAP they shouldn't be able to login to any system, and I shouldn't have to go to every one of my systems and disable their SSH keys manually.
You're missing the point. "ppolicy" is an abbreviation of *Password Policy* - if the user didn't supply a password, then the policy is irrelevant and cannot be applied.
pwdAccountLockedTime is set when a user has too many failed login attempts using their password. It is not a generic "account is disabled" flag. If you want that, you need to define your own attribute for the purpose because there is no generic *Account Policy* spec for LDAP. (This is in fact one of the outstanding objections to the last ppolicy draft, which prevented it from moving forward as a standard RFC.)
The ideal case would be that ppolicy has an attribute that lists if the
account is locked or not. This would also be useful when using pwdLockoutDuration. If I'm using pwdLockoutDuration and pwdAccountLockedTime is set, I don't really know if the account is locked because I then have to do the math and take the pwdAccountLockedTime and add the value of pwdLockoutDuration for the policy applied to that user and see if their account is in fact locked. If ppolicy just provided a true/false in addtion to the LockedTime, that would be much more useful.
Does anyone have a suggestions of a overlay that could create a derived
attribute based on pwdAccountLockedTime so I could get a True/False value.
Thanks, -Brad Viviano
=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.gov
From: Howard Chu hyc@symas.com Sent: Monday, November 25, 2013 1:07 PM To: Viviano, Brad; openldap-technical@openldap.org Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
Hello, I've searched the archives of this list, the web as best I can, and have this same question asked to the sssd-devel mailing list and can not seem to find an answer this my question. I have a RHEL 6.4 server with OpenLDAP 2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6, both installed as standard RPM's from Redhat. I have ppolicy configured in slapd and on another RHEL6.4 system have sssd setup as a client. Everything works fine with password expires, grace periods, etc and sssd, if the user has to enter their password. But, if the user is using an SSH public key, setting the account as locked or the password is expired still allows them to log in. I can't seem to find a good solution that forces the user to change their password before they can login.
Why would you expect anything to validate their password if they are using an SSH public key? pam only gets the ppolicy info if it performs an LDAP Bind with the user's password.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/