-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/24/2013 04:19 PM, Jakub Hrozek wrote: > On Fri, Nov 22, 2013 at 03:16:16PM -0500, Dmitri Pal wrote: >> On 11/22/2013 02:51 PM, Viviano, Brad wrote: >>> Hello, I've searched extensively and haven't found an answer to >>> this. I have a RHEL6.4 system running slapd version >>> 2.4.23-32.el6_4.1 with sssd version 1.9.2-82.11.el6_4. I've >>> configured OpenLDAP to use ppolicy. Everything (password >>> expires, account locked, grace periods, etc) is working >>> beautifully if the user logs in with their password. But if >>> they have an SSH public key, then even if the account in >>> OpenLDAP is locked, the user can still login. I can't seem to >>> find a FAQ on configuring OpenLDAP and SSSD in regards to >>> ppolicy settings for this case. I hope I am just missing >>> something simple. Any suggestions or pointers would be much >>> appreciated. >> >> You want to use account policies when log using SSH keys? >> >> I am not an expert so I am not sure exactly how to do or whether >> it is possible but I think you need to make sure that when you >> log into the system via SSH the PAM accounting phase is >> performed. Please check SSH config to invoke pam accounting for >> access control checks then you can use SSSD in the pam stack and >> use its access control provider configuration for LDAP to do the >> checks. At least this is the direction I would try to dig. >> >> HTH Dmitri > > Dmitri is completely right. > > When you log in with your public key the authentication is > performed by sshd, so the SSSD's pam_sss doesn't come to play in > the authentication. > > Some password policies (eg shadow) would be possible to check later > during the account phase, but typically the expiration data is > returned by the LDAP server during authentication, so this solution > wouldn't be generic. > > Also, by using public keys, you are logging in with another > authentication token then your password, so it would seem strange a > bit to warn about password properties. > > Account expiration is a different matter than password policy. > Expiration should always be checked during account phase. I'm not > sure which mechanism is most prevalent in OpenLDAP deployments, but > please check the sssd-ldap man page, option > 'ldap_account_expire_policy'. If there is some widely used overlay > or other mechanism which is not supported by the SSSD, let us > know.
Two other things to check: 1) Is /etc/ssh/sshd_config set with "Use PAM = yes"? 2) What do you have set in sssd.conf for access_provider? If you're not using "access_provider = ldap" and the appropriate "ldap_access_order" settings, the expiration policy may not be checked. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKTQJUACgkQeiVVYja6o6MZHQCeLwuP0ffRnaM5Td0oRvqB2vuo JAgAniFoKc1XsUdlZkdJx+Ud/VHqJMc/ =dWDc -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
