to reproduce, set up an ldaps:// server (TLS won't reproduce the bug)
and configure the client as:
id_provider = proxy
proxy_lib_name = files
auth_provider = ldap
ldap_uri = ldaps://openldap.example.com
ldap_user_search_base = ou=People,dc=example,dc=com
ldap_group_search_base = ou=People,dc=example,dc=com
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_object_class = inetOrgPerson
debug_level = 9
timeout = 30000
Before the patch you'll get an error saying you're not connected.
I think the proper solution would be to change the LDAP provider to
mark the connection as connected automatically, but there is logic in
sdap_async_connection that should be changed as well and the code around
whether to use TLS or not is a bit complex. Also, I would prefer to make
sdap_handle opaque outside the low-level code.
Hello please see attached patch.
The need for this patch was discussed in thread: SDAP: Lock out ssh keys
when account naturally expires
This patch implements point number 3.
>> I would prefer if we didn't add a new option as well, but since we
>> a version that only supported the lockout and not any other semantics,
>> I don't think we can get away with just changing the functionality. A
>> minor version can break functionality. But a major version can
>> So I propose the following:
>> 1) Add a new value for ldap_access_order called "ppolicy" that would
>> evaluate the pwdAccountLockedTime fully, including the new
>> functionality in this patchset
>> 2) In 1.12, deprecate the "lockout" option and log a warning that it
>> will be removed in future relase and users should migrate to "ppolicy"
>> 3) In master (1.13), remove the "lockout" ldap_access_order value
Honza, can you review, please?
To reproduce, just set default_domain_suffix on an IPA trust client to
the AD domain value in the [sssd] section:
services = nss, pac, sudo, pam, ssh
domains = linux.test
config_file_version = 2
default_domain_suffix = ad.example.com
Then request a host:
btw default_domain_suffix is already ignored for the autofs responder.