Viviano, Brad wrote: > I'm not expecting it to validate their password, I am expecting it to check > if their account is locked for some reason. If their account is locked in > LDAP, it shouldn't let them login under any circumstances. For technical > reasons we need ssh public keys to operate (IBM GPFS), but I don't want the > user to be able to circumvent LDAP authority. If I lock their account in > LDAP they shouldn't be able to login to any system, and I shouldn't have to > go to every one of my systems and disable their SSH keys manually. So why don't you just write a script which removes SSH keys automatically? > The ideal case would be that ppolicy has an attribute that lists if the > account is locked or not. This would also be useful when using > pwdLockoutDuration. If I'm using pwdLockoutDuration and > pwdAccountLockedTime is set, I don't really know if the account is locked > because I then have to do the math and take the pwdAccountLockedTime and > add the value of pwdLockoutDuration for the policy applied to that user and > see if their account is in fact locked. If ppolicy just provided a > true/false in addtion to the LockedTime, that would be much more useful. A script syncing SSH keys to the system can use whatever attributes are already available. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature