[Date Prev][Date Next]
RE: OpenLDAP with ppolicy and SSSD configuration question.
Adjusting ACL's seems like overkill for this situation and I have to work within the bounds of what sssd offers. sssd doesn't have a native check for pwdAccountLockedTime when it does ppolicy based checking, the code just isn't there. sssd for LDAP auth does support a True/False check for account locked, which is how Redhat DS, 389ds and IPA do it, from what I've read. I've added a True/False as a schema extension, tested it and it works. If I manually set accountLocked to TRUE on a DN, the user can't login at all, it logs in the messages file the account it locked. Works perfect.
My question is, is there a better way to set that True/False attribute value based on pwdAccountLockedTime. What I am looking for is, if pwdAccountLockedTime is set for DN=x, then also set accountLocked=true for DN=x. Sure, I can do that with an external script, but is there a way to do it from within slapd.
Basically can I create a virtual attribute so when a user queries for accountLocked, it actually does a check for something else (pwdAccountLockedTime) and based on that value returns True or False. I'm thinking in terms of a stored procedure offered on many SQL servers.
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
HSCSS Task Order Lead - Ravi Nair
919-541-5467 - Nair.Ravi@epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - Jones.Durward@epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - Paulsen.Heidi@epa.gov
From: Michael Ströder <email@example.com>
Sent: Wednesday, November 27, 2013 9:35 AM
To: Viviano, Brad; firstname.lastname@example.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
> I understand what you are saying. It would of been nice if a generalized
> account locking method was included in the ppolicy or a similar overlay was
> available like other LDAP server implementations provide.
It's very easy to lock accounts (or whatever entries) by ACLs.