Hello I am nearly finished building new LDAP cluster using SSSD for clients.
I have a password policy set which will lock out accounts upon bind failure: dn: ou=Policies,dc=blah ou: Policies objectClass: organizationalUnit dn: cn=passwordDefault,ou=Policies,dc=blah objectClass: pwdPolicy objectClass: person objectClass: top cn: passwordDefault sn: passwordDefault pwdAttribute: userPassword pwdCheckQuality: 0 pwdMinAge: 0 pwdMaxAge: 365 pwdMinLength: 15 pwdInHistory: 5 pwdMaxFailure: 3 pwdFailureCountInterval: 0 pwdLockout: TRUE pwdLockoutDuration: 0 pwdAllowUserChange: TRUE pwdExpireWarning: 320 pwdGraceAuthNLimit: 0 pwdMustChange: TRUE pwdSafeModify: FALSE I am using an account for binding with LDAP since my OpenLDAP ACLs disallow anon binds. My concern about this is that if a malicious user was to start attempting binds with the bind account, then they could lock out this important user thus bring down SSSD binding for all of my clients. I do not want. sssd.conf: ldap_uri = ldaps://provider ldap_backup_uri = ldaps://consumer ldap_default_bind_dn = uid=user,ou=sysadmin,dc=blah ldap_default_authtok_type = password ldap_default_authtok = longpass ldap_search_base = dc=blah ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/sha2bundle.cer This should probably be sent to another list though anyone know if its possible to exempt a single user from the above password policy so that pwdLockout would not apply? Thanks Doug Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: [email protected] O: 212-746-6305 F: 212-746-8690
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
