[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP with ppolicy and SSSD configuration question.

    I can't foresee a time I would want a user to just disappear entirely from a system because their password is locked.  I don't want locked users to be invisible, I want them to be locked so they can't login.  I still want NSS to know the users exist so when someone does an 'ls -l' it doesn't just list numbers for them or if they need to query email or phone number, it's still available.  There are a lots of reasons I can think why I need to lock an account to prevent a user from logging into a given system, none that I can think of where I would want to user to 100% disappear because their account is locked.

    I understand how ACL's work and I don't see changing ACL's as a solution to this problem.  My RHEL admin's won't take kindly to me just making users disappear on the their systems because their account is locked, they're funny that way.  They'd rather a message showed in syslog that says user X is locked when the user tries to log in so they see it.


Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC

HSCSS Task Order Lead - Ravi Nair
919-541-5467 - Nair.Ravi@epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - Jones.Durward@epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - Paulsen.Heidi@epa.gov

From: Michael Ströder <michael@stroeder.com>
Sent: Wednesday, November 27, 2013 1:10 PM
To: Viviano, Brad; openldap-technical@openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.

Viviano, Brad wrote:
> Adjusting ACL's seems like overkill for this situation and I have to work within the bounds of what sssd offers.

I'm doing this with sssd and it's definitely not overkill
=> there's no valid excuse to not learn about ACLs

And it does not only work for applications/clients which support a custom
name-your-favourite-vendor-specific-lock-attribute-here. If done right ACLs
simply make entries invisible for sssd or *every* application integrated with
your LDAP server.

Ciao, Michael.