On Fri, Jul 29, 2016 at 11:57:54AM +0200, thierry bordaz wrote:
On 07/28/2016 04:49 PM, Lukas Slebodnik wrote:
> On (28/07/16 16:37), thierry bordaz wrote:
> > ...
> > That is correct and this is the expected behavior.
> > Using ns-inactivate.pl with a role, it inactivates all the entries in that
> > role adding nsaccountlock virtual attibute.
> > You are right, update (add of nsaccountlock) of regular user can be done
> > without update of its modifytimestamp.
> >
> Thank you very much for confirmation and for info that plugin
> is not used on IPA. So we needn't special case nsaccountlock for IPA.
>
> We had a discussion on sssd devel meeting. And we agreed that we will
> do some performace measurements. And if there will be significant
> difference then we will check modifytimestamp only with IPA and AD.
> and it will be disabled by default with generic LDAP.
>
> LS
Hi Lukas,
Just to be sure. Does SSSD currently use or intend to use
ns-inactivate/ns-activate to disable/enable ipa users ?
Judging by the code, we use the value of nsAccountLock as well in IPA..
(before running the HBAC rules, we check the if the user is expired by
looking at nsAccountLock -> see sdap_account_expired_rhds() and us
calling sdap_access_send() from ipa_pam_access_handler_send().