On Fri, 2013-02-15 at 10:21 +0100, Sumit Bose wrote: > On Fri, Feb 15, 2013 at 02:28:50PM +0530, Rajnesh Kumar Siwal wrote: > > We have an attribute pwdAccountLockedTime in OpenLDAP that is > > responsible for for locking a User account. > > I am not able to figure out how sssd honours it. > > The attribute is part of the server side password policies > (http://tools.ietf.org/html/draft-behera-ldap-password-policy-10). It > will be managed by the OpenLDAP server and the lockout is also enforced > by the OpenLDAP server, i.e. bind requests will be rejected. See 'man > slapo-ppolicy' > (http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&apropos=0&manpath=OpenLDAP+2.4-Release) > for details. > > Since all is happening on the server side there is no need for SSSD to > be aware of this attribute.
Well there is the question of offline logins, but those should probably be disabled if you have such strict policies ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel