On 11/25/2013 12:38 PM, Viviano, Brad wrote:
> Some additional information on my problem.
>
> I've confirmed that for ssh, I am going through pam_sss.so just fine.
If I set the following in my sssd.conf:
>
> ldap_access_order = filter
> ldap_access_filter = (!(pwdAccountLockedTime=*))
>
> Then the
Some additional information on my problem.
I've confirmed that for ssh, I am going through pam_sss.so just fine. If I set
the following in my sssd.conf:
ldap_access_order = filter
ldap_access_filter = (!(pwdAccountLockedTime=*))
Then the user doesn't get access if their account is locked:
$ s
ehlo,
attached patches should fix https://fedorahosted.org/sssd/ticket/2163
LS
>From 14793ec8ed31560eb9792a658ddcd5881bb4af79 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik
Date: Mon, 25 Nov 2013 13:43:30 +0100
Subject: [PATCH 1/2] SYSDB: Sanitize filter before sysdb_search_groups
sysdb_delete_
I turned debugging in sssd on at a high level for the LDAP section and found
the following in the log when I try and login with a locked account, that has
an SSH public key:
(Mon Nov 25 09:18:12 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): Adding nsAccountLock [20131125140156Z
Everyone,
Thanks for your pointers. What I am trying to replicate with sssd/LDAP is
what happens with local password files on ssh with public keys. If /etc/shadow
has an expired password, the user is locked out until they contact the admin
and request it be reset:
$ ssh somehost
Your acco
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/24/2013 04:19 PM, Jakub Hrozek wrote:
> On Fri, Nov 22, 2013 at 03:16:16PM -0500, Dmitri Pal wrote:
>> On 11/22/2013 02:51 PM, Viviano, Brad wrote:
>>> Hello, I've searched extensively and haven't found an answer to
>>> this. I have a RHEL6.4 sy
On 11/22/2013 04:00 PM, Jakub Hrozek wrote:
On Fri, Nov 22, 2013 at 03:33:50PM +0100, Jakub Hrozek wrote:
I think this is it. Thank you for your patience. ACK
Pushed both to master.
Can you also resend the patches for 1.11 ? These don't apply cleanly..
___
