On Fri, Nov 22, 2013 at 03:16:16PM -0500, Dmitri Pal wrote: > On 11/22/2013 02:51 PM, Viviano, Brad wrote: > > Hello, > > I've searched extensively and haven't found an answer to this. I > > have a RHEL6.4 system running slapd version 2.4.23-32.el6_4.1 with > > sssd version 1.9.2-82.11.el6_4. I've configured OpenLDAP to use > > ppolicy. Everything (password expires, account locked, grace periods, > > etc) is working beautifully if the user logs in with their password. > > But if they have an SSH public key, then even if the account in > > OpenLDAP is locked, the user can still login. > > I can't seem to find a FAQ on configuring OpenLDAP and SSSD in > > regards to ppolicy settings for this case. I hope I am just missing > > something simple. Any suggestions or pointers would be much appreciated. > > You want to use account policies when log using SSH keys? > > I am not an expert so I am not sure exactly how to do or whether it is > possible but I think you need to make sure that when you log into the > system via SSH the PAM accounting phase is performed. Please check SSH > config to invoke pam accounting for access control checks then you can > use SSSD in the pam stack and use its access control provider > configuration for LDAP to do the checks. > At least this is the direction I would try to dig. > > HTH > Dmitri
Dmitri is completely right. When you log in with your public key the authentication is performed by sshd, so the SSSD's pam_sss doesn't come to play in the authentication. Some password policies (eg shadow) would be possible to check later during the account phase, but typically the expiration data is returned by the LDAP server during authentication, so this solution wouldn't be generic. Also, by using public keys, you are logging in with another authentication token then your password, so it would seem strange a bit to warn about password properties. Account expiration is a different matter than password policy. Expiration should always be checked during account phase. I'm not sure which mechanism is most prevalent in OpenLDAP deployments, but please check the sssd-ldap man page, option 'ldap_account_expire_policy'. If there is some widely used overlay or other mechanism which is not supported by the SSSD, let us know. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel