[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP with ppolicy and SSSD configuration question.

    I don't see your point.  I'm not debating a user providing a password or not.  I'm discussing how to inform the client that an account is locked.  Slapd already knows the account for DN=x is locked because the user provided an invalid password too many times according the the policy and it set pwdAccountLockedTime.  The issue is, sssd, which is the standard for RHEL6 and what I have to deal with doesn't understand that value.  It wants a True/False, not a timestamp.  So what I'm asking about is, translating a timestamp to a True/False.

    As I said, there are any number of external methods I could do that would do it.  I was hoping for an internal method, something that could translate it on the fly so if I request "accountLocked" for DN=x and pwdAccountLockedTime is not NULL then return accountLocked=TRUE otherwise return accountLocked=FALSE.  If an existing overlay could be used to do that, I was interested in the specifics.

    I don't understand your second point.  ANYONE can lock out a user with ppolicy and that has nothing to so with sssd.  I could do an ldapsearch and use any users DN with an invalid password and lock them out if I hit the policy settings that trigger the lock.  Heck I could write a perl script that requested every user with posixAccount objectClass and then proceed to bind with invalid passwords to lock out the entire directory as a DoS.

     -Brad Viviano

Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC

HSCSS Task Order Lead - Ravi Nair
919-541-5467 - Nair.Ravi@epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - Jones.Durward@epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - Paulsen.Heidi@epa.gov

From: Howard Chu <hyc@symas.com>
Sent: Wednesday, November 27, 2013 12:40 PM
To: Viviano, Brad; Michael Ströder; openldap-technical@openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.

Viviano, Brad wrote:
> Adjusting ACL's seems like overkill for this situation and I have to work
within the bounds of what sssd offers. sssd doesn't have a native check for
pwdAccountLockedTime when it does ppolicy based checking, the code just isn't
there. sssd for LDAP auth does support a True/False check for account locked,
which is how Redhat DS, 389ds and IPA do it, from what I've read. I've added a
True/False as a schema extension, tested it and it works. If I manually set
accountLocked to TRUE on a DN, the user can't login at all, it logs in the
messages file the account it locked. Works perfect.

You're still missing the point that if the user didn't provide a password for
LDAP Bind, then LDAP authentication *didn't happen*. If SSSD is still doing an
LDAP authorization check here, that's a *bug*, because without a successful
authentication, it has no way to verify that the provided username matches any
particular LDAP entry. Therefore it cannot assert that any particular LDAP
attribute has any relevance to the current login attempt.

> My question is, is there a better way to set that True/False attribute
> value
based on pwdAccountLockedTime. What I am looking for is, if
pwdAccountLockedTime is set for DN=x, then also set accountLocked=true for
DN=x. Sure, I can do that with an external script, but is there a way to do it
from within slapd.

Of course you can write a slapd overlay to do this, but it would be a mistake
because your security mechanism is broken. Anyone with permission to write to
the directory could spoof their username attribute and lockout any user of
their choice.

SSSD has a lot of issues. This is why we still recommend nssov.

> Basically can I create a virtual attribute so when a user queries for
accountLocked, it actually does a check for something else
(pwdAccountLockedTime) and based on that value returns True or False. I'm
thinking in terms of a stored procedure offered on many SQL servers.

>      Thanks,
>          -Brad Viviano

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/