[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ppolicy and SSSD configuration question.

Viviano, Brad wrote:
> I'm not expecting it to validate their password, I am expecting it to check
> if their account is locked for some reason.  If their account is locked in
> LDAP, it shouldn't let them login under any circumstances.  For technical
> reasons we need ssh public keys to operate (IBM GPFS), but I don't want the
> user to be able to circumvent LDAP authority.  If I lock their account in
> LDAP they shouldn't be able to login to any system, and I shouldn't have to
> go to every one of my systems and disable their SSH keys manually.

So why don't you just write a script which removes SSH keys automatically?

> The ideal case would be that ppolicy has an attribute that lists if the
> account is locked or not.  This would also be useful when using
> pwdLockoutDuration.  If I'm using pwdLockoutDuration and
> pwdAccountLockedTime is set, I don't really know if the account is locked
> because I then have to do the math and take the pwdAccountLockedTime and
> add the value of pwdLockoutDuration for the policy applied to that user and
> see if their account is in fact locked.  If ppolicy just provided a
> true/false in addtion to the LockedTime, that would be much more useful.

A script syncing SSH keys to the system can use whatever attributes are
already available.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature