Adjusting ACL's seems like overkill for this situation and I have to work within the bounds of what sssd offers. sssd doesn't have a native check for pwdAccountLockedTime when it does ppolicy based checking, the code just isn't there. sssd for LDAP auth does support a True/False check for account locked, which is how Redhat DS, 389ds and IPA do it, from what I've read. I've added a True/False as a schema extension, tested it and it works. If I manually set accountLocked to TRUE on a DN, the user can't login at all, it logs in the messages file the account it locked. Works perfect.
My question is, is there a better way to set that True/False attribute value based on pwdAccountLockedTime. What I am looking for is, if pwdAccountLockedTime is set for DN=x, then also set accountLocked=true for DN=x. Sure, I can do that with an external script, but is there a way to do it from within slapd.
Basically can I create a virtual attribute so when a user queries for accountLocked, it actually does a check for something else (pwdAccountLockedTime) and based on that value returns True or False. I'm thinking in terms of a stored procedure offered on many SQL servers.
Thanks, -Brad Viviano
=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.gov
________________________________________ From: Michael Ströder michael@stroeder.com Sent: Wednesday, November 27, 2013 9:35 AM To: Viviano, Brad; openldap-technical@openldap.org Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
I understand what you are saying. It would of been nice if a generalized account locking method was included in the ppolicy or a similar overlay was available like other LDAP server implementations provide.
It's very easy to lock accounts (or whatever entries) by ACLs.
Ciao, Michael.