I'm not expecting it to validate their password, I am expecting it to check if
their account is locked for some reason. If their account is locked in LDAP, it
shouldn't let them login under any circumstances. For technical reasons we need ssh
public keys to operate (IBM GPFS), but I don't want the user to be able to circumvent
LDAP authority. If I lock their account in LDAP they shouldn't be able to login to
any system, and I shouldn't have to go to every one of my systems and disable their
SSH keys manually.
The ideal case would be that ppolicy has an attribute that lists if the account is
locked or not. This would also be useful when using pwdLockoutDuration. If I'm using
pwdLockoutDuration and pwdAccountLockedTime is set, I don't really know if the account
is locked because I then have to do the math and take the pwdAccountLockedTime and add the
value of pwdLockoutDuration for the policy applied to that user and see if their account
is in fact locked. If ppolicy just provided a true/false in addtion to the LockedTime,
that would be much more useful.
Does anyone have a suggestions of a overlay that could create a derived attribute
based on pwdAccountLockedTime so I could get a True/False value.
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
HSCSS Task Order Lead - Ravi Nair
919-541-5467 - Nair.Ravi(a)epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - Jones.Durward(a)epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - Paulsen.Heidi(a)epa.gov
From: Howard Chu <hyc(a)symas.com>
Sent: Monday, November 25, 2013 1:07 PM
To: Viviano, Brad; openldap-technical(a)openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
I've searched the archives of this list, the web as best I can, and have
this same question asked to the sssd-devel mailing list and can not seem to
find an answer this my question. I have a RHEL 6.4 server with OpenLDAP
2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6, both installed as standard RPM's
from Redhat. I have ppolicy configured in slapd and on another RHEL6.4 system
have sssd setup as a client. Everything works fine with password expires,
grace periods, etc and sssd, if the user has to enter their password. But, if
the user is using an SSH public key, setting the account as locked or the
password is expired still allows them to log in. I can't seem to find a good
solution that forces the user to change their password before they can login.
Why would you expect anything to validate their password if they are using an
SSH public key? pam only gets the ppolicy info if it performs an LDAP Bind
with the user's password.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/