Liam Gretton wrote:
On 27/11/2013 20:51, Michael Ströder wrote:
Viviano, Brad wrote:
I can't foresee a time I would want a user to just disappear entirely from
a system because their password is locked. I don't want locked users to be
invisible, I want them to be locked so they can't login.
On Nov 28, 2013, at 9:30 AM, Liam Gretton wrote:
Now I use a custom 'lock' attribute on all accounts and use a LDAP filter at
the client end. This is fine for our purposes but could be a problem for
appliances that don't provide much in the way of LDAP configuration options.
I've used
On 28/11/2013 08:56, Turbo Fredriksson wrote:
On Nov 28, 2013, at 9:30 AM, Liam Gretton wrote:
Now I use a custom 'lock' attribute on all accounts and use a LDAP filter at
the client end. This is fine for our purposes but could be a problem for
appliances that don't provide much in the way
On 28/11/2013 08:53, Michael Ströder wrote:
Changing access to userPassword, whether by ACL or by modifying the attribute
value itself, doesn't have any effect when the user has a SSH key because LDAP
is not involved in authentication.
Uuuhuuhh. You can even have two different ACLs for
, November 25, 2013 1:38 PM
To: Viviano, Brad; openldap-technical@openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
Howard,
I'm not expecting it to validate their password, I am expecting it to
check
if their account is locked for some reason
Viviano, Brad wrote:
I understand what you are saying. It would of been nice if a generalized
account locking method was included in the ppolicy or a similar overlay was
available like other LDAP server implementations provide.
It's very easy to lock accounts (or whatever entries) by ACLs.
, 2013 9:35 AM
To: Viviano, Brad; openldap-technical@openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
I understand what you are saying. It would of been nice if a generalized
account locking method was included in the ppolicy or a similar
Viviano, Brad wrote:
Adjusting ACL's seems like overkill for this situation and I have to work
within the bounds of what sssd offers. sssd doesn't have a native check for
pwdAccountLockedTime when it does ppolicy based checking, the code just isn't
there. sssd for LDAP auth does support a
Viviano, Brad wrote:
Adjusting ACL's seems like overkill for this situation and I have to work
within the bounds of what sssd offers.
I'm doing this with sssd and it's definitely not overkill
= there's no valid excuse to not learn about ACLs
And it does not only work for applications/clients
Viviano, Brad wrote:
Howard,
I don't see your point.
Clearly.
I'm not debating a user providing a password or
not.
I'm discussing how to inform the client that an account is locked. Slapd
already knows the account for DN=x is locked because the user provided an
invalid password too many
Lead - Heidi Paulsen
919-541-1834 - paulsen.he...@epa.gov
From: Howard Chu h...@symas.com
Sent: Wednesday, November 27, 2013 2:49 PM
To: Viviano, Brad; Michael Ströder; openldap-technical@openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration
Viviano, Brad wrote:
I can't foresee a time I would want a user to just disappear entirely from
a system because their password is locked. I don't want locked users to be
invisible, I want them to be locked so they can't login.
Gee, can't you read about ACLs *before* responding like that.
On Nov 27, 2013, at 9:23 PM, Viviano, Brad wrote:
So, I need a reliable way to lock an account that can handle both methods.
I haven't followed the thread closely, but if I understand
you correctly: You want to disable/lock an account, without
hiding it from ls etc?
As in, making sure the user
REMOVE ME
Hello,
I've searched the archives of this list, the web as best I can, and have
this same question asked to the sssd-devel mailing list and can not seem to
find an answer this my question. I have a RHEL 6.4 server with OpenLDAP
2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6, both installed as
Viviano, Brad wrote:
Hello,
I've searched the archives of this list, the web as best I can, and have
this same question asked to the sssd-devel mailing list and can not seem to
find an answer this my question. I have a RHEL 6.4 server with OpenLDAP
2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6,
Chu h...@symas.com
Sent: Monday, November 25, 2013 1:07 PM
To: Viviano, Brad; openldap-technical@openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
Hello,
I've searched the archives of this list, the web as best I can, and have
this same
Change the users she'll to nologin.
Mike
On Nov 25, 2013, at 1:23 PM, Howard Chu h...@symas.com wrote:
Viviano, Brad wrote:
Hello,
I've searched the archives of this list, the web as best I can, and have
this same question asked to the sssd-devel mailing list and can not seem to
Autocorrect shell
On Nov 25, 2013, at 1:33 PM, Michael mlstarlin...@hotmail.com wrote:
Change the users she'll to nologin.
Mike
On Nov 25, 2013, at 1:23 PM, Howard Chu h...@symas.com wrote:
Viviano, Brad wrote:
Hello,
I've searched the archives of this list, the web as
...@symas.com
Sent: Monday, November 25, 2013 1:07 PM
To: Viviano, Brad; openldap-technical@openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
Hello,
I've searched the archives of this list, the web as best I can, and have
this same question
Viviano, Brad wrote:
I'm not expecting it to validate their password, I am expecting it to check
if their account is locked for some reason. If their account is locked in
LDAP, it shouldn't let them login under any circumstances. For technical
reasons we need ssh public keys to operate (IBM
21 matches
Mail list logo