On Fri, 2013-02-15 at 10:21 +0100, Sumit Bose wrote:
On Fri, Feb 15, 2013 at 02:28:50PM +0530, Rajnesh Kumar Siwal wrote:
> We have an attribute pwdAccountLockedTime in OpenLDAP that is
> responsible for for locking a User account.
> I am not able to figure out how sssd honours it.
The attribute is part of the server side password policies
(
http://tools.ietf.org/html/draft-behera-ldap-password-policy-10). It
will be managed by the OpenLDAP server and the lockout is also enforced
by the OpenLDAP server, i.e. bind requests will be rejected. See 'man
slapo-ppolicy'
(
http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=...)
for details.
Since all is happening on the server side there is no need for SSSD to
be aware of this attribute.
Well there is the question of offline logins, but those should probably
be disabled if you have such strict policies ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York