[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP with ppolicy and SSSD configuration question.

    I'm not expecting it to validate their password, I am expecting it to check if their account is locked for some reason.  If their account is locked in LDAP, it shouldn't let them login under any circumstances.  For technical reasons we need ssh public keys to operate (IBM GPFS), but I don't want the user to be able to circumvent LDAP authority.  If I lock their account in LDAP they shouldn't be able to login to any system, and I shouldn't have to go to every one of my systems and disable their SSH keys manually.

    The ideal case would be that ppolicy has an attribute that lists if the account is locked or not.  This would also be useful when using pwdLockoutDuration.  If I'm using pwdLockoutDuration and pwdAccountLockedTime is set, I don't really know if the account is locked because I then have to do the math and take the pwdAccountLockedTime and add the value of pwdLockoutDuration for the policy applied to that user and see if their account is in fact locked.  If ppolicy just provided a true/false in addtion to the LockedTime, that would be much more useful.

    Does anyone have a suggestions of a overlay that could create a derived attribute based on pwdAccountLockedTime so I could get a True/False value.

     -Brad Viviano

Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC

HSCSS Task Order Lead - Ravi Nair
919-541-5467 - Nair.Ravi@epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - Jones.Durward@epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - Paulsen.Heidi@epa.gov

From: Howard Chu <hyc@symas.com>
Sent: Monday, November 25, 2013 1:07 PM
To: Viviano, Brad; openldap-technical@openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.

Viviano, Brad wrote:
> Hello,
>      I've searched the archives of this list, the web as best I can, and have
> this same question asked to the sssd-devel mailing list and can not seem to
> find an answer this my question.  I have a RHEL 6.4 server with OpenLDAP
> 2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6, both installed as standard RPM's
> from Redhat.  I have ppolicy configured in slapd and on another RHEL6.4 system
> have sssd setup as a client.  Everything works fine with password expires,
> grace periods, etc and sssd, if the user has to enter their password. But, if
> the user is using an SSH public key, setting the account as locked or the
> password is expired still allows them to log in.  I can't seem to find a good
> solution that forces the user to change their password before they can login.

Why would you expect anything to validate their password if they are using an
SSH public key? pam only gets the ppolicy info if it performs an LDAP Bind
with the user's password.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/