[Date Prev][Date Next]
Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
I've searched the archives of this list, the web as best I can, and have
this same question asked to the sssd-devel mailing list and can not seem to
find an answer this my question. I have a RHEL 6.4 server with OpenLDAP
2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6, both installed as standard RPM's
from Redhat. I have ppolicy configured in slapd and on another RHEL6.4 system
have sssd setup as a client. Everything works fine with password expires,
grace periods, etc and sssd, if the user has to enter their password. But, if
the user is using an SSH public key, setting the account as locked or the
password is expired still allows them to log in. I can't seem to find a good
solution that forces the user to change their password before they can login.
Why would you expect anything to validate their password if they are using an
SSH public key? pam only gets the ppolicy info if it performs an LDAP Bind
with the user's password.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/