[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ppolicy and SSSD configuration question.

On 27/11/2013 20:51, Michael Ströder wrote:
Viviano, Brad wrote:
I can't foresee a time I would want a user to just disappear entirely from
a system because their password is locked.  I don't want locked users to be
invisible, I want them to be locked so they can't login.

Gee, can't you read about ACLs *before* responding like that.

You don't have to make them invisible like I do. You can also just lock auth
access to 'userPassword'.

Changing access to userPassword, whether by ACL or by modifying the attribute value itself, doesn't have any effect when the user has a SSH key because LDAP is not involved in authentication.

There's no clean way to deal with this in my opinion. In the past I've modified accounts' shell attribute to prevent logins at the point they're determined to be disabled, and put back when the account is deemed unlocked.

Modifying the shell is useless for non-Unix systems though (web applications for example).

Now I use a custom 'lock' attribute on all accounts and use a LDAP filter at the client end. This is fine for our purposes but could be a problem for appliances that don't provide much in the way of LDAP configuration options.

Liam Gretton                                    liam.gretton@le.ac.uk
HPC Architect                                http://www.le.ac.uk/its/
IT Services                                   Tel: +44 (0)116 2522254
University Of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom