Hi everyone
In a small business solution, I'd like to setup a road warrior solution like so: Step #1: User logs in to their ubuntu laptop. SSSD is configured to authenticate the user against LDAP but is not yet connected to the VPN. Works with cached credentials. Password cache is set to 10 days. Step #2: User starts VPN client and they then have access to company resources such as LDAP. Works. Step #3: SSSD updates the cached password as soon as LDAP is available. Cache timeout shall reset to the full 10 days once the user (and their laptop) is on the VPN.
With this setup, it should be enforced that the user needs to login to the VPN at least every 10 days.
I've got a problem with step #3: How can I force SSSD to renew the cached password of the user as soon as the LDAP server becomes available? (As mentioned, the VPN connection is activated *after* the user logs in.)
Thanks for every hint or stories war stories on how to treat workstations with temporary connection to the auth backend.
Client OS: Ubuntu 20.04 (soon 22.04) sssd: 2.4.1
On Thu, Apr 21, 2022 at 9:16 AM David Wittwer dw.fedproj@planet9.ch wrote:
I've got a problem with step #3: How can I force SSSD to renew the cached password of the user as soon as the LDAP server becomes available? (As mentioned, the VPN connection is activated *after* the user logs in.)
Something needs to trigger an authentication attempt while sssd is in online mode. For example, locking and then unlocking the screen would do it.
It might be possible to automate locking the screen, as part of a post-VPN-up hook script…
sssd-users@lists.fedorahosted.org