Michael,
I can't foresee a time I would want a user to just disappear entirely from
a system because their password is locked. I don't want locked users to be
invisible, I want them to be locked so they can't login. I still want NSS to
know the users exist so when someone does an 'ls -l' it doesn't just list
numbers for them or if they need to query email or phone number, it's still
available. There are a lots of reasons I can think why I need to lock an
account to prevent a user from logging into a given system, none that I can
think of where I would want to user to 100% disappear because their account is
locked.
I understand how ACL's work and I don't see changing ACL's as a solution to
this problem. My RHEL admin's won't take kindly to me just making users
disappear on the their systems because their account is locked, they're funny
that way. They'd rather a message showed in syslog that says user X is locked
when the user tries to log in so they see it.
Thanks,
-Brad
===================================================
Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
919-541-2696
HSCSS Task Order Lead - Ravi Nair
919-541-5467 - [email protected]
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - [email protected]
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - [email protected]
________________________________________
From: Michael Ströder <[email protected]>
Sent: Wednesday, November 27, 2013 1:10 PM
To: Viviano, Brad; [email protected]
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
> Adjusting ACL's seems like overkill for this situation and I have to work
> within the bounds of what sssd offers.
I'm doing this with sssd and it's definitely not overkill
=> there's no valid excuse to not learn about ACLs
And it does not only work for applications/clients which support a custom
name-your-favourite-vendor-specific-lock-attribute-here. If done right ACLs
simply make entries invisible for sssd or *every* application integrated with
your LDAP server.
Ciao, Michael.
