#2364 RFE: Be able to configure sssd to honor openldap account lock to restrict access via ssh key
Closed: Fixed None Opened 6 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1099290

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

1. Proposed title of this feature request

Be able to configure sssd to honor openldap account lock to restrict access via
ssh key

2. Who is the customer behind the request?

3. What is the nature and description of the request?

Currently if a system uses openldap for its authentication database and sssd to
handle client sessions, if a user is locked for any reason in openldap the user
can still authenticate into the system with an ssh key. The existing ppolicy
overlay doesn't account for this.

sssd should be able to take an ldap key as a config parameter and use that to
deny any access if the account is locked in the ldap database, no matter the
authentication method.

Specifically, we need support for the following:


This attribute contains the time that the user's account was locked. If the
account has been locked, the password may no longer be used to authenticate
the user to the directory. If*pwdAccountLockedTime* is set to
*000001010000Z*, the user's account has been permanently locked and may
only be unlocked by an administrator. Note that account locking only takes
effect when the *pwdLockout* password policy attribute is set to "*TRUE*".

Requested by RHEL-6, moving to 1.11.7

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD 1.11.7
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

owner: somebody => preichl

Fields changed

patch: 0 => 1

Fields changed

resolution: => fixed
status: new => closed

master branch commit: 2a91d3d

mark: => 0

Metadata Update from @jhrozek:
- Issue assigned to preichl
- Issue set to the milestone: SSSD 1.11.7

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3406

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.