Everyone,
Thanks for your pointers. What I am trying to replicate with sssd/LDAP is
what happens with local password files on ssh with public keys. If /etc/shadow
has an expired password, the user is locked out until they contact the admin
and request it be reset:
$ ssh somehost
Your account has expired; please contact your system administrator
Connection closed
My pam.d config file for sshd is standard for RHEL6 with sssd enabled:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
My sshd_config is setup for "PAM = yes" (again RHEL6 standard). My
sssd.conf has the following relevant entries:
id_provider = ldap
auth_provider = ldap
ldap_access_order = expire
The setting I am not sure about for sssd.conf is
"ldap_account_expire_policy". I don't see anything in the manual page, WIKI or
docs that details the correct setting for OpenLDAP with ppolicy, which is what
prompted my message to this list. What I need is for sssd to check the account
locked attribute for ppolicy, which is "pwdAccountLockedTime" and if it's set,
not allow the user to login.
I have tried setting ldap_account_expire_policy to rhds, ipa and 389ds and
setting ldap_ns_account_lock to pwdAccountLockedTime to no affect.
I see all kinds of options in the sssd.conf man pages for other LDAP providers
(rhds, ipa, 389ds and AD) but I don't see an option for OpenLDAP w/ppolicy.
So, is that even supported in sssd?
Thanks,
-Brad Viviano
===================================================
Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
919-541-2696
HSCSS Task Order Lead - Ravi Nair
919-541-5467 - nair.r...@epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - jones.durw...@epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - paulsen.he...@epa.gov
________________________________________
From: sssd-devel-boun...@lists.fedorahosted.org
<sssd-devel-boun...@lists.fedorahosted.org> on behalf of Stephen Gallagher
<sgall...@redhat.com>
Sent: Monday, November 25, 2013 7:20 AM
To: Development of the System Security Services Daemon
Subject: Re: [SSSD] Configuring SSSD expire policy with OpenLDAP and SSH.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/24/2013 04:19 PM, Jakub Hrozek wrote:
> On Fri, Nov 22, 2013 at 03:16:16PM -0500, Dmitri Pal wrote:
>> On 11/22/2013 02:51 PM, Viviano, Brad wrote:
>>> Hello, I've searched extensively and haven't found an answer to
>>> this. I have a RHEL6.4 system running slapd version
>>> 2.4.23-32.el6_4.1 with sssd version 1.9.2-82.11.el6_4. I've
>>> configured OpenLDAP to use ppolicy. Everything (password
>>> expires, account locked, grace periods, etc) is working
>>> beautifully if the user logs in with their password. But if
>>> they have an SSH public key, then even if the account in
>>> OpenLDAP is locked, the user can still login. I can't seem to
>>> find a FAQ on configuring OpenLDAP and SSSD in regards to
>>> ppolicy settings for this case. I hope I am just missing
>>> something simple. Any suggestions or pointers would be much
>>> appreciated.
>>
>> You want to use account policies when log using SSH keys?
>>
>> I am not an expert so I am not sure exactly how to do or whether
>> it is possible but I think you need to make sure that when you
>> log into the system via SSH the PAM accounting phase is
>> performed. Please check SSH config to invoke pam accounting for
>> access control checks then you can use SSSD in the pam stack and
>> use its access control provider configuration for LDAP to do the
>> checks. At least this is the direction I would try to dig.
>>
>> HTH Dmitri
>
> Dmitri is completely right.
>
> When you log in with your public key the authentication is
> performed by sshd, so the SSSD's pam_sss doesn't come to play in
> the authentication.
>
> Some password policies (eg shadow) would be possible to check later
> during the account phase, but typically the expiration data is
> returned by the LDAP server during authentication, so this solution
> wouldn't be generic.
>
> Also, by using public keys, you are logging in with another
> authentication token then your password, so it would seem strange a
> bit to warn about password properties.
>
> Account expiration is a different matter than password policy.
> Expiration should always be checked during account phase. I'm not
> sure which mechanism is most prevalent in OpenLDAP deployments, but
> please check the sssd-ldap man page, option
> 'ldap_account_expire_policy'. If there is some widely used overlay
> or other mechanism which is not supported by the SSSD, let us
> know.
Two other things to check:
1) Is /etc/ssh/sshd_config set with "Use PAM = yes"?
2) What do you have set in sssd.conf for access_provider? If you're
not using "access_provider = ldap" and the appropriate
"ldap_access_order" settings, the expiration policy may not be checked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKTQJUACgkQeiVVYja6o6MZHQCeLwuP0ffRnaM5Td0oRvqB2vuo
JAgAniFoKc1XsUdlZkdJx+Ud/VHqJMc/
=dWDc
-----END PGP SIGNATURE-----
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
