Change the users she'll to nologin. Mike
> On Nov 25, 2013, at 1:23 PM, "Howard Chu" <[email protected]> wrote: > > Viviano, Brad wrote: >> Hello, >> I've searched the archives of this list, the web as best I can, and have >> this same question asked to the sssd-devel mailing list and can not seem to >> find an answer this my question. I have a RHEL 6.4 server with OpenLDAP >> 2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6, both installed as standard RPM's >> from Redhat. I have ppolicy configured in slapd and on another RHEL6.4 >> system >> have sssd setup as a client. Everything works fine with password expires, >> grace periods, etc and sssd, if the user has to enter their password. But, if >> the user is using an SSH public key, setting the account as locked or the >> password is expired still allows them to log in. I can't seem to find a good >> solution that forces the user to change their password before they can login. > > Why would you expect anything to validate their password if they are using an > SSH public key? pam only gets the ppolicy info if it performs an LDAP Bind > with the user's password. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >
