Autocorrect "shell"
On Nov 25, 2013, at 1:33 PM, "Michael" mlstarling31@hotmail.com wrote:
Change the users she'll to nologin.
Mike
On Nov 25, 2013, at 1:23 PM, "Howard Chu" hyc@symas.com wrote:
Viviano, Brad wrote:
Hello, I've searched the archives of this list, the web as best I can, and have this same question asked to the sssd-devel mailing list and can not seem to find an answer this my question. I have a RHEL 6.4 server with OpenLDAP 2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6, both installed as standard RPM's from Redhat. I have ppolicy configured in slapd and on another RHEL6.4 system have sssd setup as a client. Everything works fine with password expires, grace periods, etc and sssd, if the user has to enter their password. But, if the user is using an SSH public key, setting the account as locked or the password is expired still allows them to log in. I can't seem to find a good solution that forces the user to change their password before they can login.
Why would you expect anything to validate their password if they are using an SSH public key? pam only gets the ppolicy info if it performs an LDAP Bind with the user's password.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/