[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ppolicy and SSSD configuration question.

To: "Viviano, Brad" <Viviano.Brad@epa.gov>, Michael Ströder <michael@stroeder.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
From: Howard Chu <hyc@symas.com>
Date: Wed, 27 Nov 2013 09:40:31 -0800
In-reply-to: <a6d2ecb728c74f8ba0ccaead37e833d8@BY2PR09MB046.namprd09.prod.outlook.com>
References: <41790c97c84a4967be486c2b3b1dab1b@BY2PR09MB046.namprd09.prod.outlook.com>, <529391F3.2060001@symas.com> <b15c91651fae43a6a57df9ce8beb8324@BY2PR09MB046.namprd09.prod.outlook.com>, <52939911.4060105@symas.com> <dfb27e079e834c09b918a31ce28dc7d1@BY2PR09MB046.namprd09.prod.outlook.com>, <5296031A.10708@stroeder.com> <a6d2ecb728c74f8ba0ccaead37e833d8@BY2PR09MB046.namprd09.prod.outlook.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0 SeaMonkey/2.24a1

Viviano, Brad wrote:

Adjusting ACL's seems like overkill for this situation and I have to work

within the bounds of what sssd offers. sssd doesn't have a native check for
pwdAccountLockedTime when it does ppolicy based checking, the code just isn't
there. sssd for LDAP auth does support a True/False check for account locked,
which is how Redhat DS, 389ds and IPA do it, from what I've read. I've added a
True/False as a schema extension, tested it and it works. If I manually set
accountLocked to TRUE on a DN, the user can't login at all, it logs in the
messages file the account it locked. Works perfect.

You're still missing the point that if the user didn't provide a password forLDAP Bind, then LDAP authentication *didn't happen*. If SSSD is still doing anLDAP authorization check here, that's a *bug*, because without a successfulauthentication, it has no way to verify that the provided username matches anyparticular LDAP entry. Therefore it cannot assert that any particular LDAPattribute has any relevance to the current login attempt.

My question is, is there a better way to set that True/False attribute
value

based on pwdAccountLockedTime. What I am looking for is, if
pwdAccountLockedTime is set for DN=x, then also set accountLocked=true for
DN=x. Sure, I can do that with an external script, but is there a way to do it
from within slapd.

Of course you can write a slapd overlay to do this, but it would be a mistakebecause your security mechanism is broken. Anyone with permission to write tothe directory could spoof their username attribute and lockout any user oftheir choice.


SSSD has a lot of issues. This is why we still recommend nssov.

Basically can I create a virtual attribute so when a user queries for

accountLocked, it actually does a check for something else
(pwdAccountLockedTime) and based on that value returns True or False. I'm
thinking in terms of a stored procedure offered on many SQL servers.

     Thanks,
         -Brad Viviano



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>

References:
- OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Howard Chu <hyc@symas.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Howard Chu <hyc@symas.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Michael Ströder <michael@stroeder.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>

Prev by Date: Re: Antw: Re: Q: monitoring attributes
Next by Date: Re: OpenLDAP with ppolicy and SSSD configuration question.
Index(es):
- Chronological
- Thread