Viviano, Brad wrote:
I'm not expecting it to validate their password, I am expecting
it to check
if their account is locked for some reason. If their account is locked in
LDAP, it shouldn't let them login under any circumstances. For technical
reasons we need ssh public keys to operate (IBM GPFS), but I don't want the
user to be able to circumvent LDAP authority. If I lock their account in
LDAP they shouldn't be able to login to any system, and I shouldn't have to
go to every one of my systems and disable their SSH keys manually.
So why don't you just write a script which removes SSH keys automatically?
The ideal case would be that ppolicy has an attribute that lists if
the
account is locked or not. This would also be useful when using
pwdLockoutDuration. If I'm using pwdLockoutDuration and
pwdAccountLockedTime is set, I don't really know if the account is locked
because I then have to do the math and take the pwdAccountLockedTime and
add the value of pwdLockoutDuration for the policy applied to that user and
see if their account is in fact locked. If ppolicy just provided a
true/false in addtion to the LockedTime, that would be much more useful.
A script syncing SSH keys to the system can use whatever attributes are
already available.
Ciao, Michael.