[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP with ppolicy and SSSD configuration question.

Howard,
    I understand what you are saying.  It would of been nice if a generalized account locking method was included in the ppolicy or a similar overlay was available like other LDAP server implementations provide.  But so be it.  As others have suggested, I can spoof the same result, with some extra effort.  
    I've added a schema extension called "accountLocked" which is a Boolean.  If that is true, then sssd won't let the user login with either password or via SSH keys.  Now, for the best way to implement that setting.  I could write a perl script that queries every DN that has pwdAccountLockedTime and set the corresponding accountLocked to TRUE and run that from cron every 5 minutes, or something.  But I thought I'd ask if someone could suggest a better way, something the slapd server could do already, with an overlay maybe, so I am not dependent on an external process to make this change.

   Thanks,
     -Brad Viviano

===================================================
Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
919-541-2696

HSCSS Task Order Lead - Ravi Nair
919-541-5467 - Nair.Ravi@epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - Jones.Durward@epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - Paulsen.Heidi@epa.gov

________________________________________
From: Howard Chu <hyc@symas.com>
Sent: Monday, November 25, 2013 1:38 PM
To: Viviano, Brad; openldap-technical@openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.

Viviano, Brad wrote:
> Howard,
> I'm not expecting it to validate their password, I am expecting it to
> check
if their account is locked for some reason. If their account is locked in
LDAP, it shouldn't let them login under any circumstances. For technical
reasons we need ssh public keys to operate (IBM GPFS), but I don't want the
user to be able to circumvent LDAP authority. If I lock their account in LDAP
they shouldn't be able to login to any system, and I shouldn't have to go to
every one of my systems and disable their SSH keys manually.

You're missing the point. "ppolicy" is an abbreviation of *Password Policy* -
if the user didn't supply a password, then the policy is irrelevant and cannot
be applied.

pwdAccountLockedTime is set when a user has too many failed login attempts
using their password. It is not a generic "account is disabled" flag. If you
want that, you need to define your own attribute for the purpose because there
is no generic *Account Policy* spec for LDAP. (This is in fact one of the
outstanding objections to the last ppolicy draft, which prevented it from
moving forward as a standard RFC.)

> The ideal case would be that ppolicy has an attribute that lists if the
account is locked or not. This would also be useful when using
pwdLockoutDuration. If I'm using pwdLockoutDuration and pwdAccountLockedTime
is set, I don't really know if the account is locked because I then have to do
the math and take the pwdAccountLockedTime and add the value of
pwdLockoutDuration for the policy applied to that user and see if their
account is in fact locked. If ppolicy just provided a true/false in addtion to
the LockedTime, that would be much more useful.
>
> Does anyone have a suggestions of a overlay that could create a derived
attribute based on pwdAccountLockedTime so I could get a True/False value.
>
>     Thanks,
>       -Brad Viviano
>
> ===================================================
> Brad Viviano
> High Performance Computing & Scientific Visualization
> Lockheed Martin, Supporting the EPA
> Research Triangle Park, NC
> 919-541-2696
>
> HSCSS Task Order Lead - Ravi Nair
> 919-541-5467 - Nair.Ravi@epa.gov
> High Performance Computing Subtask Lead - Durward Jones
> 919-541-5043 - Jones.Durward@epa.gov
> Environmental Modeling and Visualization Lead - Heidi Paulsen
> 919-541-1834 - Paulsen.Heidi@epa.gov
>
> ________________________________________
> From: Howard Chu <hyc@symas.com>
> Sent: Monday, November 25, 2013 1:07 PM
> To: Viviano, Brad; openldap-technical@openldap.org
> Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
>
> Viviano, Brad wrote:
>> Hello,
>>       I've searched the archives of this list, the web as best I can, and have
>> this same question asked to the sssd-devel mailing list and can not seem to
>> find an answer this my question.  I have a RHEL 6.4 server with OpenLDAP
>> 2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6, both installed as standard RPM's
>> from Redhat.  I have ppolicy configured in slapd and on another RHEL6.4 system
>> have sssd setup as a client.  Everything works fine with password expires,
>> grace periods, etc and sssd, if the user has to enter their password. But, if
>> the user is using an SSH public key, setting the account as locked or the
>> password is expired still allows them to log in.  I can't seem to find a good
>> solution that forces the user to change their password before they can login.
>
> Why would you expect anything to validate their password if they are using an
> SSH public key? pam only gets the ppolicy info if it performs an LDAP Bind
> with the user's password.
>
> --
>     -- Howard Chu
>     CTO, Symas Corp.           http://www.symas.com
>     Director, Highland Sun     http://highlandsun.com/hyc/
>     Chief Architect, OpenLDAP  http://www.openldap.org/project/
>


--
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/