On 11/22/2013 02:51 PM, Viviano, Brad wrote: > Hello, > I've searched extensively and haven't found an answer to this. I > have a RHEL6.4 system running slapd version 2.4.23-32.el6_4.1 with > sssd version 1.9.2-82.11.el6_4. I've configured OpenLDAP to use > ppolicy. Everything (password expires, account locked, grace periods, > etc) is working beautifully if the user logs in with their password. > But if they have an SSH public key, then even if the account in > OpenLDAP is locked, the user can still login. > I can't seem to find a FAQ on configuring OpenLDAP and SSSD in > regards to ppolicy settings for this case. I hope I am just missing > something simple. Any suggestions or pointers would be much appreciated.
You want to use account policies when log using SSH keys? I am not an expert so I am not sure exactly how to do or whether it is possible but I think you need to make sure that when you log into the system via SSH the PAM accounting phase is performed. Please check SSH config to invoke pam accounting for access control checks then you can use SSSD in the pam stack and use its access control provider configuration for LDAP to do the checks. At least this is the direction I would try to dig. HTH Dmitri > > Thanks, > -Brad Viviano > > > =================================================== > Brad Viviano > High Performance Computing & Scientific Visualization > Lockheed Martin, Supporting the EPA > Research Triangle Park, NC > 919-541-2696 > > HSCSS Task Order Lead - Ravi Nair > 919-541-5467 - nair.r...@epa.gov > High Performance Computing Subtask Lead - Durward Jones > 919-541-5043 - jones.durw...@epa.gov > Environmental Modeling and Visualization Lead - Heidi Paulsen > 919-541-1834 - paulsen.he...@epa.gov > > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
