8:05 a.m.
Hi everyone
In a small business solution, I'd like to setup a road warrior solution like so:
Step #1: User logs in to their ubuntu laptop. SSSD is configured to authenticate the user
against LDAP but is not yet connected to the VPN. Works with cached credentials. Password
cache is set to 10 days.
Step #2: User starts VPN client and they then have access to company resources such as
LDAP. Works.
Step #3: SSSD updates the cached password as soon as LDAP is available. Cache timeout
shall reset to the full 10 days once the user (and their laptop) is on the VPN.
With this setup, it should be enforced that the user needs to login to the VPN at least
every 10 days.
I've got a problem with step #3: How can I force SSSD to renew the cached password of
the user as soon as the LDAP server becomes available? (As mentioned, the VPN connection
is activated *after* the user logs in.)
Thanks for every hint or stories war stories on how to treat workstations with temporary
connection to the auth backend.
Client OS: Ubuntu 20.04 (soon 22.04)
sssd: 2.4.1
3:25 p.m.
New subject: Using SSSD in a road warrior setup; update cached credentials problem
On Thu, Apr 21, 2022 at 9:16 AM David Wittwer <dw.fedproj(a)planet9.ch> wrote:
I've got a problem with step #3: How can I force SSSD to renew
the
cached password of the user as soon as the LDAP server becomes
available? (As mentioned, the VPN connection is activated *after*
the user logs in.)
Something needs to trigger an authentication attempt while sssd is in
online mode. For example, locking and then unlocking the screen would
do it.
It might be possible to automate locking the screen, as part of a
post-VPN-up hook script…
726
days inactive
729
days old
sssd-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
David Wittwer -
James Ralston