[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ppolicy and SSSD configuration question.

To: "Viviano, Brad" <Viviano.Brad@epa.gov>, Michael Ströder <michael@stroeder.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
From: Howard Chu <hyc@symas.com>
Date: Wed, 27 Nov 2013 11:49:55 -0800
In-reply-to: <27909ab565294da18996ed6bb5c1a158@BY2PR09MB046.namprd09.prod.outlook.com>
References: <41790c97c84a4967be486c2b3b1dab1b@BY2PR09MB046.namprd09.prod.outlook.com>, <529391F3.2060001@symas.com> <b15c91651fae43a6a57df9ce8beb8324@BY2PR09MB046.namprd09.prod.outlook.com>, <52939911.4060105@symas.com> <dfb27e079e834c09b918a31ce28dc7d1@BY2PR09MB046.namprd09.prod.outlook.com>, <5296031A.10708@stroeder.com> <a6d2ecb728c74f8ba0ccaead37e833d8@BY2PR09MB046.namprd09.prod.outlook.com>, <52962E8F.6070004@symas.com> <27909ab565294da18996ed6bb5c1a158@BY2PR09MB046.namprd09.prod.outlook.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0 SeaMonkey/2.24a1

Viviano, Brad wrote:

Howard,
I don't see your point.


Clearly.

I'm not debating a user providing a password or
not.

I'm discussing how to inform the client that an account is locked. Slapd
already knows the account for DN=x is locked because the user provided an
invalid password too many times according the the policy and it set
pwdAccountLockedTime. The issue is, sssd, which is the standard for RHEL6 and
what I have to deal with doesn't understand that value. It wants a True/False,
not a timestamp. So what I'm asking about is, translating a timestamp to a
True/False.

slapd may indeed know that an entry DN=x has an accountLocked attribute set totrue, if you ask it. But *nobody* knows that DN=x corresponds to user y untilan LDAP Bind operation has been performed successfully for DN=x with acredential that user y provides. Until you perform that verification step, youcannot assert that any attribute in DN=x has any relevance to user y's loginattempt.


In your original post you talked about two scenarios:

one, where a user logs in with a password, in which case an LDAP Bind isperformed and a ppolicy response control can be returned giving the accountlock status.

  two, where a user logs in with only an ssh public key.

In the first case, everything works and there's nothing to worry about.

The second case is what I've been explaining to you here.

If you are forced to rely on sssd then you are unfortunately being forced torely on an insecure system.

I don't understand your second point. ANYONE can lock out a user with

ppolicy and that has nothing to so with sssd. I could do an ldapsearch and use
any users DN with an invalid password and lock them out if I hit the policy
settings that trigger the lock. Heck I could write a perl script that
requested every user with posixAccount objectClass and then proceed to bind
with invalid passwords to lock out the entire directory as a DoS.

Any such attempts would be obvious from syslog activity. What I was talkingabout would be a simple LDAP Modify request that would never raise suspicionor trip any alarms. But the obvious and more serious consequence is that theModify request could be used for the reverse - spoofing to re-enable a lockedaccount.

At any rate, as long as you insist on talking about how RHEL works I suggestyou contact RedHat for further support on this issue. It's their brokensoftware designs you're dealing with.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>

References:
- OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Howard Chu <hyc@symas.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Howard Chu <hyc@symas.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Michael Ströder <michael@stroeder.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Howard Chu <hyc@symas.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>

Prev by Date: RE: OpenLDAP with ppolicy and SSSD configuration question.
Next by Date: RE: OpenLDAP with ppolicy and SSSD configuration question.
Index(es):
- Chronological
- Thread