Support for pwdAccountLockedTime - sssd-devel - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Support for pwdAccountLockedTime

Advice request : LDAP server...

[PATCH] subdomains: replace dot...

Rajnesh Kumar Siwal

Friday, 15 February 2013 Fri, 15 Feb '13

2:58 a.m.

We have an attribute pwdAccountLockedTime in OpenLDAP that is responsible for for locking a User account. I am not able to figure out how sssd honours it. -- Regards, Rajnesh Kumar Siwal

Reply

Show replies by date

Sumit Bose

Friday, 15 February Fri, 15 Feb

3:21 a.m.

On Fri, Feb 15, 2013 at 02:28:50PM +0530, Rajnesh Kumar Siwal wrote:

We have an attribute pwdAccountLockedTime in OpenLDAP that is responsible for for locking a User account. I am not able to figure out how sssd honours it.

The attribute is part of the server side password policies (http://tools.ietf.org/html/draft-behera-ldap-password-policy-10). It will be managed by the OpenLDAP server and the lockout is also enforced by the OpenLDAP server, i.e. bind requests will be rejected. See 'man slapo-ppolicy' (http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=...) for details. Since all is happening on the server side there is no need for SSSD to be aware of this attribute. HTH bye, Sumit

-- Regards, Rajnesh Kumar Siwal _______________________________________________ sssd-devel mailing list sssd-devel(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply

Simo Sorce

7:40 a.m.

On Fri, 2013-02-15 at 10:21 +0100, Sumit Bose wrote:

On Fri, Feb 15, 2013 at 02:28:50PM +0530, Rajnesh Kumar Siwal wrote: > We have an attribute pwdAccountLockedTime in OpenLDAP that is > responsible for for locking a User account. > I am not able to figure out how sssd honours it. The attribute is part of the server side password policies (http://tools.ietf.org/html/draft-behera-ldap-password-policy-10). It will be managed by the OpenLDAP server and the lockout is also enforced by the OpenLDAP server, i.e. bind requests will be rejected. See 'man slapo-ppolicy' (http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=...) for details. Since all is happening on the server side there is no need for SSSD to be aware of this attribute.

Well there is the question of offline logins, but those should probably be disabled if you have such strict policies ? Simo. -- Simo Sorce * Red Hat, Inc * New York

Reply

4113

days inactive

4113

days old

sssd-devel@lists.fedorahosted.org

Manage subscription

2 comments

3 participants

tags (0)

participants (3)

Rajnesh Kumar Siwal
Simo Sorce
Sumit Bose