[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ppolicy and SSSD configuration question.



Viviano, Brad wrote:
Howard,
I'm not expecting it to validate their password, I am expecting it to
check
if their account is locked for some reason. If their account is locked in
LDAP, it shouldn't let them login under any circumstances. For technical
reasons we need ssh public keys to operate (IBM GPFS), but I don't want the
user to be able to circumvent LDAP authority. If I lock their account in LDAP
they shouldn't be able to login to any system, and I shouldn't have to go to
every one of my systems and disable their SSH keys manually.

You're missing the point. "ppolicy" is an abbreviation of *Password Policy* - if the user didn't supply a password, then the policy is irrelevant and cannot be applied.

pwdAccountLockedTime is set when a user has too many failed login attempts using their password. It is not a generic "account is disabled" flag. If you want that, you need to define your own attribute for the purpose because there is no generic *Account Policy* spec for LDAP. (This is in fact one of the outstanding objections to the last ppolicy draft, which prevented it from moving forward as a standard RFC.)

The ideal case would be that ppolicy has an attribute that lists if the
account is locked or not. This would also be useful when using
pwdLockoutDuration. If I'm using pwdLockoutDuration and pwdAccountLockedTime
is set, I don't really know if the account is locked because I then have to do
the math and take the pwdAccountLockedTime and add the value of
pwdLockoutDuration for the policy applied to that user and see if their
account is in fact locked. If ppolicy just provided a true/false in addtion to
the LockedTime, that would be much more useful.

Does anyone have a suggestions of a overlay that could create a derived
attribute based on pwdAccountLockedTime so I could get a True/False value.

    Thanks,
      -Brad Viviano

===================================================
Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
919-541-2696

HSCSS Task Order Lead - Ravi Nair
919-541-5467 - Nair.Ravi@epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - Jones.Durward@epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - Paulsen.Heidi@epa.gov

________________________________________
From: Howard Chu <hyc@symas.com>
Sent: Monday, November 25, 2013 1:07 PM
To: Viviano, Brad; openldap-technical@openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.

Viviano, Brad wrote:
Hello,
      I've searched the archives of this list, the web as best I can, and have
this same question asked to the sssd-devel mailing list and can not seem to
find an answer this my question.  I have a RHEL 6.4 server with OpenLDAP
2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6, both installed as standard RPM's
from Redhat.  I have ppolicy configured in slapd and on another RHEL6.4 system
have sssd setup as a client.  Everything works fine with password expires,
grace periods, etc and sssd, if the user has to enter their password. But, if
the user is using an SSH public key, setting the account as locked or the
password is expired still allows them to log in.  I can't seem to find a good
solution that forces the user to change their password before they can login.

Why would you expect anything to validate their password if they are using an
SSH public key? pam only gets the ppolicy info if it performs an LDAP Bind
with the user's password.

--
    -- Howard Chu
    CTO, Symas Corp.           http://www.symas.com
    Director, Highland Sun     http://highlandsun.com/hyc/
    Chief Architect, OpenLDAP  http://www.openldap.org/project/



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/