Adjusting ACL's seems like overkill for this situation and I have to work within the
bounds of what sssd offers. sssd doesn't have a native check for pwdAccountLockedTime
when it does ppolicy based checking, the code just isn't there. sssd for LDAP auth
does support a True/False check for account locked, which is how Redhat DS, 389ds and IPA
do it, from what I've read. I've added a True/False as a schema extension, tested
it and it works. If I manually set accountLocked to TRUE on a DN, the user can't
login at all, it logs in the messages file the account it locked. Works perfect.
My question is, is there a better way to set that True/False attribute value based on
pwdAccountLockedTime. What I am looking for is, if pwdAccountLockedTime is set for DN=x,
then also set accountLocked=true for DN=x. Sure, I can do that with an external script,
but is there a way to do it from within slapd.
Basically can I create a virtual attribute so when a user queries for accountLocked, it
actually does a check for something else (pwdAccountLockedTime) and based on that value
returns True or False. I'm thinking in terms of a stored procedure offered on many
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
HSCSS Task Order Lead - Ravi Nair
919-541-5467 - Nair.Ravi(a)epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - Jones.Durward(a)epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - Paulsen.Heidi(a)epa.gov
From: Michael Ströder <michael(a)stroeder.com>
Sent: Wednesday, November 27, 2013 9:35 AM
To: Viviano, Brad; openldap-technical(a)openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
I understand what you are saying. It would of been nice if a
account locking method was included in the ppolicy or a similar overlay was
available like other LDAP server implementations provide.
It's very easy to lock accounts (or whatever entries) by ACLs.