Try using a filter in sssd.conf. Something like
ldap_access_order = filter ldap_access_filter = (!(pwdAccountLockedTime=*)) -Mike > Date: Mon, 10 Mar 2014 19:05:21 -0500 > From: [email protected] > To: [email protected] > Subject: open(ldap|ssh) interaction > > Hey; > > When using local accounts, ssh honors password expiration even if using > public key authentication. This is the case at least on HPUX, Solaris, and > various flavors of Linux. This is a good thing. I won't go through all the > security reasons why passwords should periodically change. Suffice to say > that they should and most companies have policies regarding password > expiration. > > When using openldap, however, if a user is configured to use public key > authentication, he is allowed access to the account regardless of the > password > aging and/or pwdReset parameter. > > Is there a way to force openssh to honor these settings like it does for > local accounts? > > Test environment is centos6.5 running on a kvm tying into an openldap server > ver 2.4.23. My test environment is certainly following the symptoms of my > client's unboundid server supporting a variety of linux platforms - all rhel > based - from ver 4 through 6. > > Any help greatly appreciated. > > Doug O'Leary > ------------ > Senior UNIX/Security Admin > CISSP, CISA, RHCSA, CEH > O'Leary Computers Inc > [email protected] (w) 630-904-6098 (c) 630-248-2749 > linkedin: http://www.linkedin.com/in/dkoleary > resume: http://www.olearycomputers.com/resume.html >
