RE: OpenLDAP with ppolicy and SSSD configuration question.

Wed, 27 Nov 2013 10:51:20 -0800 

Michael,
    I can't foresee a time I would want a user to just disappear entirely from 
a system because their password is locked.  I don't want locked users to be 
invisible, I want them to be locked so they can't login.  I still want NSS to 
know the users exist so when someone does an 'ls -l' it doesn't just list 
numbers for them or if they need to query email or phone number, it's still 
available.  There are a lots of reasons I can think why I need to lock an 
account to prevent a user from logging into a given system, none that I can 
think of where I would want to user to 100% disappear because their account is 
locked.

    I understand how ACL's work and I don't see changing ACL's as a solution to 
this problem.  My RHEL admin's won't take kindly to me just making users 
disappear on the their systems because their account is locked, they're funny 
that way.  They'd rather a message showed in syslog that says user X is locked 
when the user tries to log in so they see it.

    Thanks,
         -Brad

===================================================
Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
919-541-2696

HSCSS Task Order Lead - Ravi Nair
919-541-5467 - nair.r...@epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - jones.durw...@epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - paulsen.he...@epa.gov

________________________________________
From: Michael Ströder <mich...@stroeder.com>
Sent: Wednesday, November 27, 2013 1:10 PM
To: Viviano, Brad; openldap-technical@openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.

Viviano, Brad wrote:
> Adjusting ACL's seems like overkill for this situation and I have to work 
> within the bounds of what sssd offers.

I'm doing this with sssd and it's definitely not overkill
=> there's no valid excuse to not learn about ACLs

And it does not only work for applications/clients which support a custom
name-your-favourite-vendor-specific-lock-attribute-here. If done right ACLs
simply make entries invisible for sssd or *every* application integrated with
your LDAP server.

Ciao, Michael.

Reply via email to