[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ppolicy and SSSD configuration question.

Change the users she'll to nologin.


> On Nov 25, 2013, at 1:23 PM, "Howard Chu" <hyc@symas.com> wrote:
> Viviano, Brad wrote:
>> Hello,
>>     I've searched the archives of this list, the web as best I can, and have
>> this same question asked to the sssd-devel mailing list and can not seem to
>> find an answer this my question.  I have a RHEL 6.4 server with OpenLDAP
>> 2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6, both installed as standard RPM's
>> from Redhat.  I have ppolicy configured in slapd and on another RHEL6.4 system
>> have sssd setup as a client.  Everything works fine with password expires,
>> grace periods, etc and sssd, if the user has to enter their password. But, if
>> the user is using an SSH public key, setting the account as locked or the
>> password is expired still allows them to log in.  I can't seem to find a good
>> solution that forces the user to change their password before they can login.
> Why would you expect anything to validate their password if they are using an SSH public key? pam only gets the ppolicy info if it performs an LDAP Bind with the user's password.
> -- 
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/