Viviano, Brad wrote:
I'm not expecting it to validate their password, I am expecting it to check if their account is locked for some reason. If their account is locked in LDAP, it shouldn't let them login under any circumstances. For technical reasons we need ssh public keys to operate (IBM GPFS), but I don't want the user to be able to circumvent LDAP authority. If I lock their account in LDAP they shouldn't be able to login to any system, and I shouldn't have to go to every one of my systems and disable their SSH keys manually.
So why don't you just write a script which removes SSH keys automatically?
The ideal case would be that ppolicy has an attribute that lists if the account is locked or not. This would also be useful when using pwdLockoutDuration. If I'm using pwdLockoutDuration and pwdAccountLockedTime is set, I don't really know if the account is locked because I then have to do the math and take the pwdAccountLockedTime and add the value of pwdLockoutDuration for the policy applied to that user and see if their account is in fact locked. If ppolicy just provided a true/false in addtion to the LockedTime, that would be much more useful.
A script syncing SSH keys to the system can use whatever attributes are already available.
Ciao, Michael.