Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1099290
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
1. Proposed title of this feature request
Be able to configure sssd to honor openldap account lock to restrict access via
2. Who is the customer behind the request?
3. What is the nature and description of the request?
Currently if a system uses openldap for its authentication database and sssd to
handle client sessions, if a user is locked for any reason in openldap the user
can still authenticate into the system with an ssh key. The existing ppolicy
overlay doesn't account for this.
sssd should be able to take an ldap key as a config parameter and use that to
deny any access if the account is locked in the ldap database, no matter the
Specifically, we need support for the following:
This attribute contains the time that the user's account was locked. If the
account has been locked, the password may no longer be used to authenticate
the user to the directory. If*pwdAccountLockedTime* is set to
*000001010000Z*, the user's account has been permanently locked and may
only be unlocked by an administrator. Note that account locking only takes
effect when the *pwdLockout* password policy attribute is set to "*TRUE*".
Requested by RHEL-6, moving to 1.11.7
design_review: => 0
milestone: NEEDS_TRIAGE => SSSD 1.11.7
review: True => 0
testsupdated: => 0
owner: somebody => preichl
patch: 0 => 1
resolution: => fixed
status: new => closed
master branch commit: 2a91d3d
mark: => 0
Metadata Update from @jhrozek:
- Issue assigned to preichl
- Issue set to the milestone: SSSD 1.11.7
SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
to comment on this ticket.