On Wed, Nov 27, 2013 at 03:28:13PM +0000, Viviano, Brad wrote: > Hello, > I have a RHEL6 server running sssd 1.9.2-129 (Redhat RPM). I've > configured it to talk to my LDAP server, which is OpenLDAP. OpenLDAP doesn't > nativly support account locking via ldap_ns_account_lock so I added a schema > extension so I could set a an account locked when needed. Everything is > working fine having ldap_account_expire_policy set to rhds, but I was > wondering if there was an option in sssd to provide a message to the user > directly that the account is locked when they try and login. All the user > sees is (as an example): > > $ ssh -o bviviano@myhost > bviviano@myhost's password: > Your password will expire in 6 day(s). > Connection closed > > If I look in /var/log/secure I see this message: > > Nov 27 10:03:44 smtools sshd[17267]: pam_sss(sshd:account): system info: [The > user account is locked on the server] > > I can see the account is locked and my sssd log for that domain shows the > account is locked: > > (Wed Nov 27 10:03:44 2013) [sssd[be[default]]] [sdap_account_expired_rhds] > (0x0400): Performing RHDS access check for user [bviviano] > (Wed Nov 27 10:03:44 2013) [sssd[be[default]]] [sdap_account_expired_rhds] > (0x4000): Account for user [bviviano] is locked. > (Wed Nov 27 10:03:44 2013) [sssd[be[default]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 6, <NULL>) [Success] > > I'd just like to provide that information back to the user directly in this > case, if its an option. > > Thanks, > -Brad Viviano
Hi Brad, can you test if the message appears if you set pam_verbosity=2 in the [pam] section if the sssd.conf ? _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
