[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP with ppolicy and SSSD configuration question.

Adjusting ACL's seems like overkill for this situation and I have to work within the bounds of what sssd offers.  sssd doesn't have a native check for pwdAccountLockedTime when it does ppolicy based checking, the code just isn't there.  sssd for LDAP auth does support a True/False check for account locked, which is how Redhat DS, 389ds and IPA do it, from what I've read.  I've added a True/False as a schema extension, tested it and it works.  If I manually set accountLocked to TRUE on a DN, the user can't login at all, it logs in the messages file the account it locked.  Works perfect.

My question is, is there a better way to set that True/False attribute value based on pwdAccountLockedTime.  What I am looking for is, if pwdAccountLockedTime is set for DN=x, then also set accountLocked=true for DN=x.  Sure, I can do that with an external script, but is there a way to do it from within slapd.

Basically can I create a virtual attribute so when a user queries for accountLocked, it actually does a check for something else (pwdAccountLockedTime) and based on that value returns True or False.  I'm thinking in terms of a stored procedure offered on many SQL servers.

    Thanks,
        -Brad Viviano

===================================================
Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
919-541-2696

HSCSS Task Order Lead - Ravi Nair
919-541-5467 - Nair.Ravi@epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - Jones.Durward@epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - Paulsen.Heidi@epa.gov

________________________________________
From: Michael Ströder <michael@stroeder.com>
Sent: Wednesday, November 27, 2013 9:35 AM
To: Viviano, Brad; openldap-technical@openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.

Viviano, Brad wrote:
> I understand what you are saying.  It would of been nice if a generalized
> account locking method was included in the ppolicy or a similar overlay was
> available like other LDAP server implementations provide.

It's very easy to lock accounts (or whatever entries) by ACLs.

Ciao, Michael.