Hello,
I have a RHEL6 server running sssd 1.9.2-129 (Redhat RPM). I've
configured it to talk to my LDAP server, which is OpenLDAP. OpenLDAP doesn't
nativly support account locking via ldap_ns_account_lock so I added a schema
extension so I could set a an account locked when needed. Everything is
working fine having ldap_account_expire_policy set to rhds, but I was wondering
if there was an option in sssd to provide a message to the user directly that
the account is locked when they try and login. All the user sees is (as an
example):
$ ssh -o bviviano@myhost
bviviano@myhost's password:
Your password will expire in 6 day(s).
Connection closed
If I look in /var/log/secure I see this message:
Nov 27 10:03:44 smtools sshd[17267]: pam_sss(sshd:account): system info: [The
user account is locked on the server]
I can see the account is locked and my sssd log for that domain shows the
account is locked:
(Wed Nov 27 10:03:44 2013) [sssd[be[default]]] [sdap_account_expired_rhds]
(0x0400): Performing RHDS access check for user [bviviano]
(Wed Nov 27 10:03:44 2013) [sssd[be[default]]] [sdap_account_expired_rhds]
(0x4000): Account for user [bviviano] is locked.
(Wed Nov 27 10:03:44 2013) [sssd[be[default]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 6, <NULL>) [Success]
I'd just like to provide that information back to the user directly in this
case, if its an option.
Thanks,
-Brad Viviano
===================================================
Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
919-541-2696
HSCSS Task Order Lead - Ravi Nair
919-541-5467 - [email protected]
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - [email protected]
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - [email protected]
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
