Hello,
I've searched the archives of this list, the web as best I can, and have this same
question asked to the sssd-devel mailing list and can not seem to find an answer this my
question. I have a RHEL 6.4 server with OpenLDAP 2.4.23-32.el6_4.1 and sssd
1.9.2-129.el6, both installed as standard RPM's from Redhat. I have ppolicy
configured in slapd and on another RHEL6.4 system have sssd setup as a client. Everything
works fine with password expires, grace periods, etc and sssd, if the user has to enter
their password. But, if the user is using an SSH public key, setting the account as
locked or the password is expired still allows them to log in. I can't seem to find a
good solution that forces the user to change their password before they can login.
The specifics are. sshd_config is configured to use PAM. My pam.d auth config is
standard for RHEL6 which is:
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
I've confirmed that when a user logs in from ssh with both password and ssh keys, they
are going through the PAM sss.so just fine, by turning up the debugging levels and
watching the logs. I've read everything I can find on sssd and it appears that for
all cases of LDAP, sssd wants a single true/false value along the lines of
nsAccountLocked. I can't find anything in ppolicy that sets true/false for account
locked like other LDAP implementations do, all ppolicy seems to provide is
pwdAccountLockedTime.
While the issue seems more like a limitation on sssd's side, I thought I'd ask on
this list to see if anyone has been able to come up with a solution or if there is
something in ppolicy I am missing for a true/false on, is DN=X locked or not.
Thanks,
-Brad Viviano
===================================================
Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
919-541-2696
HSCSS Task Order Lead - Ravi Nair
919-541-5467 - Nair.Ravi(a)epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - Jones.Durward(a)epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - Paulsen.Heidi(a)epa.gov