What is the SSSD approach to allowing a user to only login when its backend if offline?
I currently have an OpenLDAP server that I authenticate against via SSSD and PAM to login.
Normally, I can log into my machines with the accounts stored in LDAP, however, I would
like to still be able to log into those machines even if my LDAP server is not online. I
want to have an emergency user that is able to login when LDAP is not online, but I
don't want the emergency user to be able to log in when LDAP is online. I don't
want to cache credentials and I can't guarantee that the account will have been used
to login before LDAP is offline.
What I am currently doing that doesn't work is having a locked account in LDAP for the
emergency user. So if someone tries to login as the emergency user it will fail. The
emergency user is disabled by the setting `ldap_access_order` to `expire`. Unfortunately,
when LDAP is offline, the emergency user still has the locked attribute since the
user's attributes are cached. So the emergency user still fails to login.
So my questions are:
1. SSSD is caching my user information (not credentials) when my LDAP server is offline.
Is there a way to not cache user information or drop it after a set amount of time?
I don't think there is a way, but I want to ask. I also don't think that this is
the SSSD mindset, which leads to my next question.
2. What is the SSSD way to allow a user to only login when its backend is offline?
Is there a way to do special things when a backend if offline? Instead of locking the
account through a client-side 'access' check, should I be doing this through a
server-side mechanism? Am I missing something incredibly obvious? Is this just a stupid
approach to begin with?
I am sure there is a good way to do this, I just don't know enough to figure it out.
Thanks,
Kevin