Some additional information on my problem.
I've confirmed that for ssh, I am going through pam_sss.so just fine. If I set
the following in my sssd.conf:
ldap_access_order = filter
ldap_access_filter = (!(pwdAccountLockedTime=*))
Then the user doesn't get access if their account is locked:
$ ssh bviviano@somehost
Connection closed
Since this is a filter, it can't really give the user a reason, they just get
disconnected. It isn't an ideal situation, but it works. My question to the
sssd developers is, am I missing something in sssd.conf that would make this
work better and be more useful to the user. As I said in a previous message, I
don't see anything in the manual pages or the WIKI that lists OpenLDAP/ppolicy
specific configurations or even if they are supported.
Thanks,
-Brad Viviano
===================================================
Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
919-541-2696
HSCSS Task Order Lead - Ravi Nair
919-541-5467 - nair.r...@epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - jones.durw...@epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - paulsen.he...@epa.gov
________________________________________
From: sssd-devel-boun...@lists.fedorahosted.org
<sssd-devel-boun...@lists.fedorahosted.org> on behalf of Viviano, Brad
<viviano.b...@epa.gov>
Sent: Monday, November 25, 2013 10:29 AM
To: Development of the System Security Services Daemon
Subject: Re: [SSSD] Configuring SSSD expire policy with OpenLDAP and SSH.
I turned debugging in sssd on at a high level for the LDAP section and found
the following in the log when I try and login with a locked account, that has
an SSH public key:
(Mon Nov 25 09:18:12 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): Adding nsAccountLock [20131125140156Z] to attributes of [bviviano].
This directly corresponds to the pwdAccountLockedTime set on my account, which
is what I set ldap_ns_account_lock to:
[root@smtools ldap]# ldapsearch -x -ZZ cn=bviviano pwdAccountLockedTime
# extended LDIF
#
# LDAPv3
# base <dc=epa,dc=gov> (default) with scope subtree
# filter: cn=bviviano
# requesting: pwdAccountLockedTime
#
# bviviano, users, epa.gov
dn: cn=bviviano,cn=users,dc=epa,dc=gov
pwdAccountLockedTime: 20131125140156Z
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
From reading, "nsAccountLock" is expecting a true/false field. OpenLDAP
ppolicy doesn't seem to provide a locked/unlocked true/false in any field. It
only provides pwdAccountLockedTime, which has the form of a time stamp. Is
there anything in sssd.conf that would allow me to check no the value of
"pwdAccountLockedTime" but if that value exists or not. I might be able to
craft an LDAP filter and search on that not existing, but thought I'd ask if
anyone else has been able to get OpenLDAP w/ppolicy to work with SSSD.
Thanks,
-Brad Viviano
===================================================
Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
919-541-2696
HSCSS Task Order Lead - Ravi Nair
919-541-5467 - nair.r...@epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - jones.durw...@epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - paulsen.he...@epa.gov
________________________________________
From: sssd-devel-boun...@lists.fedorahosted.org
<sssd-devel-boun...@lists.fedorahosted.org> on behalf of Stephen Gallagher
<sgall...@redhat.com>
Sent: Monday, November 25, 2013 7:20 AM
To: Development of the System Security Services Daemon
Subject: Re: [SSSD] Configuring SSSD expire policy with OpenLDAP and SSH.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/24/2013 04:19 PM, Jakub Hrozek wrote:
> On Fri, Nov 22, 2013 at 03:16:16PM -0500, Dmitri Pal wrote:
>> On 11/22/2013 02:51 PM, Viviano, Brad wrote:
>>> Hello, I've searched extensively and haven't found an answer to
>>> this. I have a RHEL6.4 system running slapd version
>>> 2.4.23-32.el6_4.1 with sssd version 1.9.2-82.11.el6_4. I've
>>> configured OpenLDAP to use ppolicy. Everything (password
>>> expires, account locked, grace periods, etc) is working
>>> beautifully if the user logs in with their password. But if
>>> they have an SSH public key, then even if the account in
>>> OpenLDAP is locked, the user can still login. I can't seem to
>>> find a FAQ on configuring OpenLDAP and SSSD in regards to
>>> ppolicy settings for this case. I hope I am just missing
>>> something simple. Any suggestions or pointers would be much
>>> appreciated.
>>
>> You want to use account policies when log using SSH keys?
>>
>> I am not an expert so I am not sure exactly how to do or whether
>> it is possible but I think you need to make sure that when you
>> log into the system via SSH the PAM accounting phase is
>> performed. Please check SSH config to invoke pam accounting for
>> access control checks then you can use SSSD in the pam stack and
>> use its access control provider configuration for LDAP to do the
>> checks. At least this is the direction I would try to dig.
>>
>> HTH Dmitri
>
> Dmitri is completely right.
>
> When you log in with your public key the authentication is
> performed by sshd, so the SSSD's pam_sss doesn't come to play in
> the authentication.
>
> Some password policies (eg shadow) would be possible to check later
> during the account phase, but typically the expiration data is
> returned by the LDAP server during authentication, so this solution
> wouldn't be generic.
>
> Also, by using public keys, you are logging in with another
> authentication token then your password, so it would seem strange a
> bit to warn about password properties.
>
> Account expiration is a different matter than password policy.
> Expiration should always be checked during account phase. I'm not
> sure which mechanism is most prevalent in OpenLDAP deployments, but
> please check the sssd-ldap man page, option
> 'ldap_account_expire_policy'. If there is some widely used overlay
> or other mechanism which is not supported by the SSSD, let us
> know.
Two other things to check:
1) Is /etc/ssh/sshd_config set with "Use PAM = yes"?
2) What do you have set in sssd.conf for access_provider? If you're
not using "access_provider = ldap" and the appropriate
"ldap_access_order" settings, the expiration policy may not be checked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKTQJUACgkQeiVVYja6o6MZHQCeLwuP0ffRnaM5Td0oRvqB2vuo
JAgAniFoKc1XsUdlZkdJx+Ud/VHqJMc/
=dWDc
-----END PGP SIGNATURE-----
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
