On 11/25/2013 12:38 PM, Viviano, Brad wrote: > Some additional information on my problem. > > I've confirmed that for ssh, I am going through pam_sss.so just fine. If I set the following in my sssd.conf: > > ldap_access_order = filter > ldap_access_filter = (!(pwdAccountLockedTime=*)) > > Then the user doesn't get access if their account is locked: > > $ ssh bviviano@somehost > Connection closed > > Since this is a filter, it can't really give the user a reason, they just get disconnected. It isn't an ideal situation, but it works. My question to the sssd developers is, am I missing something in sssd.conf that would make this work better and be more useful to the user. As I said in a previous message, I don't see anything in the manual pages or the WIKI that lists OpenLDAP/ppolicy specific configurations or even if they are supported. >
Couple thoughts: 1) May be you can create a virtual attribute in OpenLDAP using some plugin/overlay that would be true/false based on the presence of the pwdAccountLockedTime. Then you would be able to point to it as an attribute rather than use a filter. 2) I do not recall this issue discussed on the list before. You might want to file an RFE. However I am not sure how soon we would be able to get to it. But help is always welcome! > Thanks, > -Brad Viviano > > =================================================== > Brad Viviano > High Performance Computing & Scientific Visualization > Lockheed Martin, Supporting the EPA > Research Triangle Park, NC > 919-541-2696 > > HSCSS Task Order Lead - Ravi Nair > 919-541-5467 - nair.r...@epa.gov > High Performance Computing Subtask Lead - Durward Jones > 919-541-5043 - jones.durw...@epa.gov > Environmental Modeling and Visualization Lead - Heidi Paulsen > 919-541-1834 - paulsen.he...@epa.gov > > ________________________________________ > From: sssd-devel-boun...@lists.fedorahosted.org <sssd-devel-boun...@lists.fedorahosted.org> on behalf of Viviano, Brad <viviano.b...@epa.gov> > Sent: Monday, November 25, 2013 10:29 AM > To: Development of the System Security Services Daemon > Subject: Re: [SSSD] Configuring SSSD expire policy with OpenLDAP and SSH. > > I turned debugging in sssd on at a high level for the LDAP section and found the following in the log when I try and login with a locked account, that has an SSH public key: > > (Mon Nov 25 09:18:12 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding nsAccountLock [20131125140156Z] to attributes of [bviviano]. > > > This directly corresponds to the pwdAccountLockedTime set on my account, which is what I set ldap_ns_account_lock to: > > [root@smtools ldap]# ldapsearch -x -ZZ cn=bviviano pwdAccountLockedTime > # extended LDIF > # > # LDAPv3 > # base <dc=epa,dc=gov> (default) with scope subtree > # filter: cn=bviviano > # requesting: pwdAccountLockedTime > # > > # bviviano, users, epa.gov > dn: cn=bviviano,cn=users,dc=epa,dc=gov > pwdAccountLockedTime: 20131125140156Z > > # search result > search: 3 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > From reading, "nsAccountLock" is expecting a true/false field. OpenLDAP ppolicy doesn't seem to provide a locked/unlocked true/false in any field. It only provides pwdAccountLockedTime, which has the form of a time stamp. Is there anything in sssd.conf that would allow me to check no the value of "pwdAccountLockedTime" but if that value exists or not. I might be able to craft an LDAP filter and search on that not existing, but thought I'd ask if anyone else has been able to get OpenLDAP w/ppolicy to work with SSSD. > > Thanks, > -Brad Viviano > > =================================================== > Brad Viviano > High Performance Computing & Scientific Visualization > Lockheed Martin, Supporting the EPA > Research Triangle Park, NC > 919-541-2696 > > HSCSS Task Order Lead - Ravi Nair > 919-541-5467 - nair.r...@epa.gov > High Performance Computing Subtask Lead - Durward Jones > 919-541-5043 - jones.durw...@epa.gov > Environmental Modeling and Visualization Lead - Heidi Paulsen > 919-541-1834 - paulsen.he...@epa.gov > > ________________________________________ > From: sssd-devel-boun...@lists.fedorahosted.org <sssd-devel-boun...@lists.fedorahosted.org> on behalf of Stephen Gallagher <sgall...@redhat.com> > Sent: Monday, November 25, 2013 7:20 AM > To: Development of the System Security Services Daemon > Subject: Re: [SSSD] Configuring SSSD expire policy with OpenLDAP and SSH. > > On 11/24/2013 04:19 PM, Jakub Hrozek wrote: > > On Fri, Nov 22, 2013 at 03:16:16PM -0500, Dmitri Pal wrote: > >> On 11/22/2013 02:51 PM, Viviano, Brad wrote: > >>> Hello, I've searched extensively and haven't found an answer to > >>> this. I have a RHEL6.4 system running slapd version > >>> 2.4.23-32.el6_4.1 with sssd version 1.9.2-82.11.el6_4. I've > >>> configured OpenLDAP to use ppolicy. Everything (password > >>> expires, account locked, grace periods, etc) is working > >>> beautifully if the user logs in with their password. But if > >>> they have an SSH public key, then even if the account in > >>> OpenLDAP is locked, the user can still login. I can't seem to > >>> find a FAQ on configuring OpenLDAP and SSSD in regards to > >>> ppolicy settings for this case. I hope I am just missing > >>> something simple. Any suggestions or pointers would be much > >>> appreciated. > >> > >> You want to use account policies when log using SSH keys? > >> > >> I am not an expert so I am not sure exactly how to do or whether > >> it is possible but I think you need to make sure that when you > >> log into the system via SSH the PAM accounting phase is > >> performed. Please check SSH config to invoke pam accounting for > >> access control checks then you can use SSSD in the pam stack and > >> use its access control provider configuration for LDAP to do the > >> checks. At least this is the direction I would try to dig. > >> > >> HTH Dmitri > > > Dmitri is completely right. > > > When you log in with your public key the authentication is > > performed by sshd, so the SSSD's pam_sss doesn't come to play in > > the authentication. > > > Some password policies (eg shadow) would be possible to check later > > during the account phase, but typically the expiration data is > > returned by the LDAP server during authentication, so this solution > > wouldn't be generic. > > > Also, by using public keys, you are logging in with another > > authentication token then your password, so it would seem strange a > > bit to warn about password properties. > > > Account expiration is a different matter than password policy. > > Expiration should always be checked during account phase. I'm not > > sure which mechanism is most prevalent in OpenLDAP deployments, but > > please check the sssd-ldap man page, option > > 'ldap_account_expire_policy'. If there is some widely used overlay > > or other mechanism which is not supported by the SSSD, let us > > know. > > Two other things to check: > > 1) Is /etc/ssh/sshd_config set with "Use PAM = yes"? > 2) What do you have set in sssd.conf for access_provider? If you're > not using "access_provider = ldap" and the appropriate > "ldap_access_order" settings, the expiration policy may not be checked. > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
