Adjusting ACL's seems like overkill for this situation and I have to work
within the bounds of what sssd offers. sssd doesn't have a native check for
pwdAccountLockedTime when it does ppolicy based checking, the code just isn't
there. sssd for LDAP auth does support a True/False check for account locked,
which is how Redhat DS, 389ds and IPA do it, from what I've read. I've added a
True/False as a schema extension, tested it and it works. If I manually set
accountLocked to TRUE on a DN, the user can't login at all, it logs in the
messages file the account it locked. Works perfect.
My question is, is there a better way to set that True/False attribute value
based on pwdAccountLockedTime. What I am looking for is, if
pwdAccountLockedTime is set for DN=x, then also set accountLocked=true for
DN=x. Sure, I can do that with an external script, but is there a way to do it
from within slapd.
Basically can I create a virtual attribute so when a user queries for
accountLocked, it actually does a check for something else
(pwdAccountLockedTime) and based on that value returns True or False. I'm
thinking in terms of a stored procedure offered on many SQL servers.
Thanks,
-Brad Viviano
===================================================
Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
919-541-2696
HSCSS Task Order Lead - Ravi Nair
919-541-5467 - [email protected]
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - [email protected]
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - [email protected]
________________________________________
From: Michael Ströder <[email protected]>
Sent: Wednesday, November 27, 2013 9:35 AM
To: Viviano, Brad; [email protected]
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
> I understand what you are saying. It would of been nice if a generalized
> account locking method was included in the ppolicy or a similar overlay was
> available like other LDAP server implementations provide.
It's very easy to lock accounts (or whatever entries) by ACLs.
Ciao, Michael.
