[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ppolicy and SSSD configuration question.



Viviano, Brad wrote:
Hello,
     I've searched the archives of this list, the web as best I can, and have
this same question asked to the sssd-devel mailing list and can not seem to
find an answer this my question.  I have a RHEL 6.4 server with OpenLDAP
2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6, both installed as standard RPM's
from Redhat.  I have ppolicy configured in slapd and on another RHEL6.4 system
have sssd setup as a client.  Everything works fine with password expires,
grace periods, etc and sssd, if the user has to enter their password. But, if
the user is using an SSH public key, setting the account as locked or the
password is expired still allows them to log in.  I can't seem to find a good
solution that forces the user to change their password before they can login.

Why would you expect anything to validate their password if they are using an SSH public key? pam only gets the ppolicy info if it performs an LDAP Bind with the user's password.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/