Doug, did you not see my reply? Perhaps you're not using sssd but the sssd_ldap filter works for me.
-Mike > From: [email protected] > Subject: Re: Antw: open(ldap|ssh) interaction > Date: Tue, 11 Mar 2014 09:05:28 -0500 > To: [email protected] > CC: [email protected] > > Hey; > > Thanks for the reply. > > > I'm not sure about OpenLDAP, but on HP-UX there was a problem if a local > > user authenticated with SSH keys only: If the password (that was never > > used) expired, ssh key login was denied. The user had to change his > > password (using non-key login). > > That's not a problem - that's the way it's supposed to work. An account > shouldn't be able to circumvent password expiration requirements simply > because its primary access method is ssh keys. There are any number of bad > things that can happen as a result of that ability. I can think of three > right off the top of my head. Short version: if an account has a password, > it needs to change regularly. > > I'm figuring it's a pam configuration as well; however, since it's related to > ldap authentication, I'm hoping others in this group might have seen and > fixed the problem. I already have questions opened w/the OS vendor. > > Thanks again for your reply. > > Doug O'Leary > ------------------- > Senior UNIX/Security Admin > CISSP, CISA, RHCSA, CEH > O'Leary Computers Inc > [email protected] (w) 630-904-6098 (c) 630-248-2749 > linkedin: http://www.linkedin.com/in/dkoleary > resume: http://www.olearycomputers.com/resume.html >
