On (15/04/15 12:37), Olivier wrote:
>Hi,
>
>Addendum:
>
>> My current policy is the following :
>>
>> - All my users must have a password in ldap (that is used by
>> applications other than ssh)
>>
>> - not all my users may have an ssh key (some never use ssh)
>>
>> Everything works as I want.
>
>I realize that with my tuning ssh behave as such:
>
>* if the user has no key in ldap then ssh ask for a login password
>
>* if the user has a correct key in ldap then ssh grant access and
> don't ask for any login/password
>
>* if the user has an incorrect key in ldap then ssh swithch to the
> login/password authentication process.
>
>That means that if a bad sshkey is returned by
>"sss_ssh_authorizedkeys", then ppolicy will be checked and
>updated if necessary through the "login / password" process.
>
>May be that could help : with a given flag "sss_ssh_authorizedkeys"
>could simply refuse to return the key in case of a "ppolicy issue".
>
Your requirements seems to be similar as in tickets:
https://fedorahosted.org/sssd/ticket/2364
https://fedorahosted.org/sssd/ticket/2534
The first feature is available in sssd-1.11
and the second one was recently added to sssd-1.12
Here is a sample config
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP
[domain/LDAP]
debug_level = 0xfff0
ldap_search_base = $DS_BASE_DN
id_provider = ldap
ldap_uri = ldap://$SERVER
cache_credentials = True
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
access_provider = ldap
ldap_access_order = lockout
ldap_pwdlockout_dn = cn=pwdconfig,ou=policies,$DS_BASE_DN
You can read more details in manual page sssd-ldap -> ldap_access_order
LS
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users