What is the SSSD approach to allowing a user to only login when its backend if offline?
I currently have an OpenLDAP server that I authenticate against via SSSD and PAM to login. Normally, I can log into my machines with the accounts stored in LDAP, however, I would like to still be able to log into those machines even if my LDAP server is not online. I want to have an emergency user that is able to login when LDAP is not online, but I don't want the emergency user to be able to log in when LDAP is online. I don't want to cache credentials and I can't guarantee that the account will have been used to login before LDAP is offline. What I am currently doing that doesn't work is having a locked account in LDAP for the emergency user. So if someone tries to login as the emergency user it will fail. The emergency user is disabled by the setting `ldap_access_order` to `expire`. Unfortunately, when LDAP is offline, the emergency user still has the locked attribute since the user's attributes are cached. So the emergency user still fails to login. So my questions are: 1. SSSD is caching my user information (not credentials) when my LDAP server is offline. Is there a way to not cache user information or drop it after a set amount of time? I don't think there is a way, but I want to ask. I also don't think that this is the SSSD mindset, which leads to my next question. 2. What is the SSSD way to allow a user to only login when its backend is offline? Is there a way to do special things when a backend if offline? Instead of locking the account through a client-side 'access' check, should I be doing this through a server-side mechanism? Am I missing something incredibly obvious? Is this just a stupid approach to begin with? I am sure there is a good way to do this, I just don't know enough to figure it out. Thanks, Kevin _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
