On Tue, Nov 29, 2016 at 03:40:26AM -0000, [email protected] wrote: > What is the SSSD approach to allowing a user to only login when its backend > if offline?
I'm not aware of anything readily available. > > I currently have an OpenLDAP server that I authenticate against via SSSD > and PAM to login. Normally, I can log into my machines with the accounts > stored in LDAP, however, I would like to still be able to log into those > machines even if my LDAP server is not online. I want to have an emergency > user that is able to login when LDAP is not online, but I don't want the > emergency user to be able to log in when LDAP is online. I don't want to > cache credentials and I can't guarantee that the account will have been > used to login before LDAP is offline. Please note that the credential caching does not actually cache plaintext passwords, but only password hashes. Moreover, the cache is only accessible to the root user. Here is an example from my test machine: # ldbsearch -H /var/lib/sss/db/cache_ipa.test.ldb [email protected] cachedPassword # record 1 dn: [email protected],cn=users,cn=ipa.test,cn=sysdb cachedPassword: $6$l7TwL4n/aPNa1lCE$jkNEiWWVBbUbzjamOGgLSgjKONsIh8hgwrzRbHWKr9uIhmIM9OgNuP3vpAjGE2bHe1g84EKONVjpzmEx.shEX/ > > What I am currently doing that doesn't work is having a locked account in > LDAP for the emergency user. So if someone tries to login as the emergency > user it will fail. The emergency user is disabled by the setting > `ldap_access_order` to `expire`. Unfortunately, when LDAP is offline, the > emergency user still has the locked attribute since the user's attributes are > cached. So the emergency user still fails to login. > > So my questions are: > > 1. SSSD is caching my user information (not credentials) when my LDAP server > is offline. Is there a way to not cache user information or drop it after a > set amount of time? > I don't think there is a way, but I want to ask. I also don't think that this > is the SSSD mindset, which leads to my next question. > > 2. What is the SSSD way to allow a user to only login when its backend is > offline? > Is there a way to do special things when a backend if offline? Instead of > locking the account through a client-side 'access' check, should I be doing > this through a server-side mechanism? Am I missing something incredibly > obvious? Is this just a stupid approach to begin with? > > I am sure there is a good way to do this, I just don't know enough to figure > it out. > > Thanks, > > Kevin > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
