Hello, I've searched extensively and haven't found an answer to this. I have a RHEL6.4 system running slapd version 2.4.23-32.el6_4.1 with sssd version 1.9.2-82.11.el6_4. I've configured OpenLDAP to use ppolicy. Everything (password expires, account locked, grace periods, etc) is working beautifully if the user logs in with their password. But if they have an SSH public key, then even if the account in OpenLDAP is locked, the user can still login. I can't seem to find a FAQ on configuring OpenLDAP and SSSD in regards to ppolicy settings for this case. I hope I am just missing something simple. Any suggestions or pointers would be much appreciated.
Thanks, -Brad Viviano
=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.gov
On 11/22/2013 02:51 PM, Viviano, Brad wrote:
Hello, I've searched extensively and haven't found an answer to this. I have a RHEL6.4 system running slapd version 2.4.23-32.el6_4.1 with sssd version 1.9.2-82.11.el6_4. I've configured OpenLDAP to use ppolicy. Everything (password expires, account locked, grace periods, etc) is working beautifully if the user logs in with their password. But if they have an SSH public key, then even if the account in OpenLDAP is locked, the user can still login. I can't seem to find a FAQ on configuring OpenLDAP and SSSD in regards to ppolicy settings for this case. I hope I am just missing something simple. Any suggestions or pointers would be much appreciated.
You want to use account policies when log using SSH keys?
I am not an expert so I am not sure exactly how to do or whether it is possible but I think you need to make sure that when you log into the system via SSH the PAM accounting phase is performed. Please check SSH config to invoke pam accounting for access control checks then you can use SSSD in the pam stack and use its access control provider configuration for LDAP to do the checks. At least this is the direction I would try to dig.
HTH Dmitri
Thanks, -Brad Viviano=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.gov
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Fri, Nov 22, 2013 at 03:16:16PM -0500, Dmitri Pal wrote:
On 11/22/2013 02:51 PM, Viviano, Brad wrote:
Hello, I've searched extensively and haven't found an answer to this. I have a RHEL6.4 system running slapd version 2.4.23-32.el6_4.1 with sssd version 1.9.2-82.11.el6_4. I've configured OpenLDAP to use ppolicy. Everything (password expires, account locked, grace periods, etc) is working beautifully if the user logs in with their password. But if they have an SSH public key, then even if the account in OpenLDAP is locked, the user can still login. I can't seem to find a FAQ on configuring OpenLDAP and SSSD in regards to ppolicy settings for this case. I hope I am just missing something simple. Any suggestions or pointers would be much appreciated.
You want to use account policies when log using SSH keys?
I am not an expert so I am not sure exactly how to do or whether it is possible but I think you need to make sure that when you log into the system via SSH the PAM accounting phase is performed. Please check SSH config to invoke pam accounting for access control checks then you can use SSSD in the pam stack and use its access control provider configuration for LDAP to do the checks. At least this is the direction I would try to dig.
HTH Dmitri
Dmitri is completely right.
When you log in with your public key the authentication is performed by sshd, so the SSSD's pam_sss doesn't come to play in the authentication.
Some password policies (eg shadow) would be possible to check later during the account phase, but typically the expiration data is returned by the LDAP server during authentication, so this solution wouldn't be generic.
Also, by using public keys, you are logging in with another authentication token then your password, so it would seem strange a bit to warn about password properties.
Account expiration is a different matter than password policy. Expiration should always be checked during account phase. I'm not sure which mechanism is most prevalent in OpenLDAP deployments, but please check the sssd-ldap man page, option 'ldap_account_expire_policy'. If there is some widely used overlay or other mechanism which is not supported by the SSSD, let us know.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/24/2013 04:19 PM, Jakub Hrozek wrote:
On Fri, Nov 22, 2013 at 03:16:16PM -0500, Dmitri Pal wrote:
On 11/22/2013 02:51 PM, Viviano, Brad wrote:
Hello, I've searched extensively and haven't found an answer to this. I have a RHEL6.4 system running slapd version 2.4.23-32.el6_4.1 with sssd version 1.9.2-82.11.el6_4. I've configured OpenLDAP to use ppolicy. Everything (password expires, account locked, grace periods, etc) is working beautifully if the user logs in with their password. But if they have an SSH public key, then even if the account in OpenLDAP is locked, the user can still login. I can't seem to find a FAQ on configuring OpenLDAP and SSSD in regards to ppolicy settings for this case. I hope I am just missing something simple. Any suggestions or pointers would be much appreciated.
You want to use account policies when log using SSH keys?
I am not an expert so I am not sure exactly how to do or whether it is possible but I think you need to make sure that when you log into the system via SSH the PAM accounting phase is performed. Please check SSH config to invoke pam accounting for access control checks then you can use SSSD in the pam stack and use its access control provider configuration for LDAP to do the checks. At least this is the direction I would try to dig.
HTH Dmitri
Dmitri is completely right.
When you log in with your public key the authentication is performed by sshd, so the SSSD's pam_sss doesn't come to play in the authentication.
Some password policies (eg shadow) would be possible to check later during the account phase, but typically the expiration data is returned by the LDAP server during authentication, so this solution wouldn't be generic.
Also, by using public keys, you are logging in with another authentication token then your password, so it would seem strange a bit to warn about password properties.
Account expiration is a different matter than password policy. Expiration should always be checked during account phase. I'm not sure which mechanism is most prevalent in OpenLDAP deployments, but please check the sssd-ldap man page, option 'ldap_account_expire_policy'. If there is some widely used overlay or other mechanism which is not supported by the SSSD, let us know.
Two other things to check:
1) Is /etc/ssh/sshd_config set with "Use PAM = yes"? 2) What do you have set in sssd.conf for access_provider? If you're not using "access_provider = ldap" and the appropriate "ldap_access_order" settings, the expiration policy may not be checked.
Everyone, Thanks for your pointers. What I am trying to replicate with sssd/LDAP is what happens with local password files on ssh with public keys. If /etc/shadow has an expired password, the user is locked out until they contact the admin and request it be reset:
$ ssh somehost Your account has expired; please contact your system administrator Connection closed
My pam.d config file for sshd is standard for RHEL6 with sssd enabled:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
My sshd_config is setup for "PAM = yes" (again RHEL6 standard). My sssd.conf has the following relevant entries:
id_provider = ldap auth_provider = ldap ldap_access_order = expire
The setting I am not sure about for sssd.conf is "ldap_account_expire_policy". I don't see anything in the manual page, WIKI or docs that details the correct setting for OpenLDAP with ppolicy, which is what prompted my message to this list. What I need is for sssd to check the account locked attribute for ppolicy, which is "pwdAccountLockedTime" and if it's set, not allow the user to login.
I have tried setting ldap_account_expire_policy to rhds, ipa and 389ds and setting ldap_ns_account_lock to pwdAccountLockedTime to no affect.
I see all kinds of options in the sssd.conf man pages for other LDAP providers (rhds, ipa, 389ds and AD) but I don't see an option for OpenLDAP w/ppolicy. So, is that even supported in sssd?
Thanks, -Brad Viviano
=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.gov
________________________________________ From: sssd-devel-bounces@lists.fedorahosted.org sssd-devel-bounces@lists.fedorahosted.org on behalf of Stephen Gallagher sgallagh@redhat.com Sent: Monday, November 25, 2013 7:20 AM To: Development of the System Security Services Daemon Subject: Re: [SSSD] Configuring SSSD expire policy with OpenLDAP and SSH.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/24/2013 04:19 PM, Jakub Hrozek wrote:
On Fri, Nov 22, 2013 at 03:16:16PM -0500, Dmitri Pal wrote:
On 11/22/2013 02:51 PM, Viviano, Brad wrote:
Hello, I've searched extensively and haven't found an answer to this. I have a RHEL6.4 system running slapd version 2.4.23-32.el6_4.1 with sssd version 1.9.2-82.11.el6_4. I've configured OpenLDAP to use ppolicy. Everything (password expires, account locked, grace periods, etc) is working beautifully if the user logs in with their password. But if they have an SSH public key, then even if the account in OpenLDAP is locked, the user can still login. I can't seem to find a FAQ on configuring OpenLDAP and SSSD in regards to ppolicy settings for this case. I hope I am just missing something simple. Any suggestions or pointers would be much appreciated.
You want to use account policies when log using SSH keys?
I am not an expert so I am not sure exactly how to do or whether it is possible but I think you need to make sure that when you log into the system via SSH the PAM accounting phase is performed. Please check SSH config to invoke pam accounting for access control checks then you can use SSSD in the pam stack and use its access control provider configuration for LDAP to do the checks. At least this is the direction I would try to dig.
HTH Dmitri
Dmitri is completely right.
When you log in with your public key the authentication is performed by sshd, so the SSSD's pam_sss doesn't come to play in the authentication.
Some password policies (eg shadow) would be possible to check later during the account phase, but typically the expiration data is returned by the LDAP server during authentication, so this solution wouldn't be generic.
Also, by using public keys, you are logging in with another authentication token then your password, so it would seem strange a bit to warn about password properties.
Account expiration is a different matter than password policy. Expiration should always be checked during account phase. I'm not sure which mechanism is most prevalent in OpenLDAP deployments, but please check the sssd-ldap man page, option 'ldap_account_expire_policy'. If there is some widely used overlay or other mechanism which is not supported by the SSSD, let us know.
Two other things to check:
1) Is /etc/ssh/sshd_config set with "Use PAM = yes"? 2) What do you have set in sssd.conf for access_provider? If you're not using "access_provider = ldap" and the appropriate "ldap_access_order" settings, the expiration policy may not be checked.
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
I turned debugging in sssd on at a high level for the LDAP section and found the following in the log when I try and login with a locked account, that has an SSH public key:
(Mon Nov 25 09:18:12 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding nsAccountLock [20131125140156Z] to attributes of [bviviano].
This directly corresponds to the pwdAccountLockedTime set on my account, which is what I set ldap_ns_account_lock to:
[root@smtools ldap]# ldapsearch -x -ZZ cn=bviviano pwdAccountLockedTime # extended LDIF # # LDAPv3 # base <dc=epa,dc=gov> (default) with scope subtree # filter: cn=bviviano # requesting: pwdAccountLockedTime #
# bviviano, users, epa.gov dn: cn=bviviano,cn=users,dc=epa,dc=gov pwdAccountLockedTime: 20131125140156Z
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
From reading, "nsAccountLock" is expecting a true/false field. OpenLDAP ppolicy doesn't seem to provide a locked/unlocked true/false in any field. It only provides pwdAccountLockedTime, which has the form of a time stamp. Is there anything in sssd.conf that would allow me to check no the value of "pwdAccountLockedTime" but if that value exists or not. I might be able to craft an LDAP filter and search on that not existing, but thought I'd ask if anyone else has been able to get OpenLDAP w/ppolicy to work with SSSD.
Thanks, -Brad Viviano
=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.gov
________________________________________ From: sssd-devel-bounces@lists.fedorahosted.org sssd-devel-bounces@lists.fedorahosted.org on behalf of Stephen Gallagher sgallagh@redhat.com Sent: Monday, November 25, 2013 7:20 AM To: Development of the System Security Services Daemon Subject: Re: [SSSD] Configuring SSSD expire policy with OpenLDAP and SSH.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/24/2013 04:19 PM, Jakub Hrozek wrote:
On Fri, Nov 22, 2013 at 03:16:16PM -0500, Dmitri Pal wrote:
On 11/22/2013 02:51 PM, Viviano, Brad wrote:
Hello, I've searched extensively and haven't found an answer to this. I have a RHEL6.4 system running slapd version 2.4.23-32.el6_4.1 with sssd version 1.9.2-82.11.el6_4. I've configured OpenLDAP to use ppolicy. Everything (password expires, account locked, grace periods, etc) is working beautifully if the user logs in with their password. But if they have an SSH public key, then even if the account in OpenLDAP is locked, the user can still login. I can't seem to find a FAQ on configuring OpenLDAP and SSSD in regards to ppolicy settings for this case. I hope I am just missing something simple. Any suggestions or pointers would be much appreciated.
You want to use account policies when log using SSH keys?
I am not an expert so I am not sure exactly how to do or whether it is possible but I think you need to make sure that when you log into the system via SSH the PAM accounting phase is performed. Please check SSH config to invoke pam accounting for access control checks then you can use SSSD in the pam stack and use its access control provider configuration for LDAP to do the checks. At least this is the direction I would try to dig.
HTH Dmitri
Dmitri is completely right.
When you log in with your public key the authentication is performed by sshd, so the SSSD's pam_sss doesn't come to play in the authentication.
Some password policies (eg shadow) would be possible to check later during the account phase, but typically the expiration data is returned by the LDAP server during authentication, so this solution wouldn't be generic.
Also, by using public keys, you are logging in with another authentication token then your password, so it would seem strange a bit to warn about password properties.
Account expiration is a different matter than password policy. Expiration should always be checked during account phase. I'm not sure which mechanism is most prevalent in OpenLDAP deployments, but please check the sssd-ldap man page, option 'ldap_account_expire_policy'. If there is some widely used overlay or other mechanism which is not supported by the SSSD, let us know.
Two other things to check:
1) Is /etc/ssh/sshd_config set with "Use PAM = yes"? 2) What do you have set in sssd.conf for access_provider? If you're not using "access_provider = ldap" and the appropriate "ldap_access_order" settings, the expiration policy may not be checked.
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Some additional information on my problem.
I've confirmed that for ssh, I am going through pam_sss.so just fine. If I set the following in my sssd.conf:
ldap_access_order = filter ldap_access_filter = (!(pwdAccountLockedTime=*))
Then the user doesn't get access if their account is locked:
$ ssh bviviano@somehost Connection closed
Since this is a filter, it can't really give the user a reason, they just get disconnected. It isn't an ideal situation, but it works. My question to the sssd developers is, am I missing something in sssd.conf that would make this work better and be more useful to the user. As I said in a previous message, I don't see anything in the manual pages or the WIKI that lists OpenLDAP/ppolicy specific configurations or even if they are supported.
Thanks, -Brad Viviano
=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.gov
________________________________________ From: sssd-devel-bounces@lists.fedorahosted.org sssd-devel-bounces@lists.fedorahosted.org on behalf of Viviano, Brad Viviano.Brad@epa.gov Sent: Monday, November 25, 2013 10:29 AM To: Development of the System Security Services Daemon Subject: Re: [SSSD] Configuring SSSD expire policy with OpenLDAP and SSH.
I turned debugging in sssd on at a high level for the LDAP section and found the following in the log when I try and login with a locked account, that has an SSH public key:
(Mon Nov 25 09:18:12 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding nsAccountLock [20131125140156Z] to attributes of [bviviano].
This directly corresponds to the pwdAccountLockedTime set on my account, which is what I set ldap_ns_account_lock to:
[root@smtools ldap]# ldapsearch -x -ZZ cn=bviviano pwdAccountLockedTime # extended LDIF # # LDAPv3 # base <dc=epa,dc=gov> (default) with scope subtree # filter: cn=bviviano # requesting: pwdAccountLockedTime #
# bviviano, users, epa.gov dn: cn=bviviano,cn=users,dc=epa,dc=gov pwdAccountLockedTime: 20131125140156Z
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
From reading, "nsAccountLock" is expecting a true/false field. OpenLDAP ppolicy doesn't seem to provide a locked/unlocked true/false in any field. It only provides pwdAccountLockedTime, which has the form of a time stamp. Is there anything in sssd.conf that would allow me to check no the value of "pwdAccountLockedTime" but if that value exists or not. I might be able to craft an LDAP filter and search on that not existing, but thought I'd ask if anyone else has been able to get OpenLDAP w/ppolicy to work with SSSD.
Thanks, -Brad Viviano
=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.gov
________________________________________ From: sssd-devel-bounces@lists.fedorahosted.org sssd-devel-bounces@lists.fedorahosted.org on behalf of Stephen Gallagher sgallagh@redhat.com Sent: Monday, November 25, 2013 7:20 AM To: Development of the System Security Services Daemon Subject: Re: [SSSD] Configuring SSSD expire policy with OpenLDAP and SSH.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/24/2013 04:19 PM, Jakub Hrozek wrote:
On Fri, Nov 22, 2013 at 03:16:16PM -0500, Dmitri Pal wrote:
On 11/22/2013 02:51 PM, Viviano, Brad wrote:
Hello, I've searched extensively and haven't found an answer to this. I have a RHEL6.4 system running slapd version 2.4.23-32.el6_4.1 with sssd version 1.9.2-82.11.el6_4. I've configured OpenLDAP to use ppolicy. Everything (password expires, account locked, grace periods, etc) is working beautifully if the user logs in with their password. But if they have an SSH public key, then even if the account in OpenLDAP is locked, the user can still login. I can't seem to find a FAQ on configuring OpenLDAP and SSSD in regards to ppolicy settings for this case. I hope I am just missing something simple. Any suggestions or pointers would be much appreciated.
You want to use account policies when log using SSH keys?
I am not an expert so I am not sure exactly how to do or whether it is possible but I think you need to make sure that when you log into the system via SSH the PAM accounting phase is performed. Please check SSH config to invoke pam accounting for access control checks then you can use SSSD in the pam stack and use its access control provider configuration for LDAP to do the checks. At least this is the direction I would try to dig.
HTH Dmitri
Dmitri is completely right.
When you log in with your public key the authentication is performed by sshd, so the SSSD's pam_sss doesn't come to play in the authentication.
Some password policies (eg shadow) would be possible to check later during the account phase, but typically the expiration data is returned by the LDAP server during authentication, so this solution wouldn't be generic.
Also, by using public keys, you are logging in with another authentication token then your password, so it would seem strange a bit to warn about password properties.
Account expiration is a different matter than password policy. Expiration should always be checked during account phase. I'm not sure which mechanism is most prevalent in OpenLDAP deployments, but please check the sssd-ldap man page, option 'ldap_account_expire_policy'. If there is some widely used overlay or other mechanism which is not supported by the SSSD, let us know.
Two other things to check:
1) Is /etc/ssh/sshd_config set with "Use PAM = yes"? 2) What do you have set in sssd.conf for access_provider? If you're not using "access_provider = ldap" and the appropriate "ldap_access_order" settings, the expiration policy may not be checked.
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On 11/25/2013 12:38 PM, Viviano, Brad wrote:
Some additional information on my problem.
I've confirmed that for ssh, I am going through pam_sss.so just fine.
If I set the following in my sssd.conf:
ldap_access_order = filter ldap_access_filter = (!(pwdAccountLockedTime=*))
Then the user doesn't get access if their account is locked:
$ ssh bviviano@somehost Connection closed
Since this is a filter, it can't really give the user a reason, they
just get disconnected. It isn't an ideal situation, but it works. My question to the sssd developers is, am I missing something in sssd.conf that would make this work better and be more useful to the user. As I said in a previous message, I don't see anything in the manual pages or the WIKI that lists OpenLDAP/ppolicy specific configurations or even if they are supported.
Couple thoughts: 1) May be you can create a virtual attribute in OpenLDAP using some plugin/overlay that would be true/false based on the presence of the pwdAccountLockedTime. Then you would be able to point to it as an attribute rather than use a filter. 2) I do not recall this issue discussed on the list before. You might want to file an RFE. However I am not sure how soon we would be able to get to it. But help is always welcome!
Thanks, -Brad Viviano
=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.gov
From: sssd-devel-bounces@lists.fedorahosted.org
sssd-devel-bounces@lists.fedorahosted.org on behalf of Viviano, Brad Viviano.Brad@epa.gov
Sent: Monday, November 25, 2013 10:29 AM To: Development of the System Security Services Daemon Subject: Re: [SSSD] Configuring SSSD expire policy with OpenLDAP and SSH.
I turned debugging in sssd on at a high level for the LDAP section and
found the following in the log when I try and login with a locked account, that has an SSH public key:
(Mon Nov 25 09:18:12 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): Adding nsAccountLock [20131125140156Z] to attributes of [bviviano].
This directly corresponds to the pwdAccountLockedTime set on my
account, which is what I set ldap_ns_account_lock to:
[root@smtools ldap]# ldapsearch -x -ZZ cn=bviviano pwdAccountLockedTime # extended LDIF # # LDAPv3 # base <dc=epa,dc=gov> (default) with scope subtree # filter: cn=bviviano # requesting: pwdAccountLockedTime #
# bviviano, users, epa.gov dn: cn=bviviano,cn=users,dc=epa,dc=gov pwdAccountLockedTime: 20131125140156Z
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
From reading, "nsAccountLock" is expecting a true/false field. OpenLDAP
ppolicy doesn't seem to provide a locked/unlocked true/false in any field. It only provides pwdAccountLockedTime, which has the form of a time stamp. Is there anything in sssd.conf that would allow me to check no the value of "pwdAccountLockedTime" but if that value exists or not. I might be able to craft an LDAP filter and search on that not existing, but thought I'd ask if anyone else has been able to get OpenLDAP w/ppolicy to work with SSSD.
Thanks, -Brad Viviano
=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.gov
From: sssd-devel-bounces@lists.fedorahosted.org
sssd-devel-bounces@lists.fedorahosted.org on behalf of Stephen Gallagher sgallagh@redhat.com
Sent: Monday, November 25, 2013 7:20 AM To: Development of the System Security Services Daemon Subject: Re: [SSSD] Configuring SSSD expire policy with OpenLDAP and SSH.
On 11/24/2013 04:19 PM, Jakub Hrozek wrote:
On Fri, Nov 22, 2013 at 03:16:16PM -0500, Dmitri Pal wrote:
On 11/22/2013 02:51 PM, Viviano, Brad wrote:
Hello, I've searched extensively and haven't found an answer to this. I have a RHEL6.4 system running slapd version 2.4.23-32.el6_4.1 with sssd version 1.9.2-82.11.el6_4. I've configured OpenLDAP to use ppolicy. Everything (password expires, account locked, grace periods, etc) is working beautifully if the user logs in with their password. But if they have an SSH public key, then even if the account in OpenLDAP is locked, the user can still login. I can't seem to find a FAQ on configuring OpenLDAP and SSSD in regards to ppolicy settings for this case. I hope I am just missing something simple. Any suggestions or pointers would be much appreciated.
You want to use account policies when log using SSH keys?
I am not an expert so I am not sure exactly how to do or whether it is possible but I think you need to make sure that when you log into the system via SSH the PAM accounting phase is performed. Please check SSH config to invoke pam accounting for access control checks then you can use SSSD in the pam stack and use its access control provider configuration for LDAP to do the checks. At least this is the direction I would try to dig.
HTH Dmitri
Dmitri is completely right.
When you log in with your public key the authentication is performed by sshd, so the SSSD's pam_sss doesn't come to play in the authentication.
Some password policies (eg shadow) would be possible to check later during the account phase, but typically the expiration data is returned by the LDAP server during authentication, so this solution wouldn't be generic.
Also, by using public keys, you are logging in with another authentication token then your password, so it would seem strange a bit to warn about password properties.
Account expiration is a different matter than password policy. Expiration should always be checked during account phase. I'm not sure which mechanism is most prevalent in OpenLDAP deployments, but please check the sssd-ldap man page, option 'ldap_account_expire_policy'. If there is some widely used overlay or other mechanism which is not supported by the SSSD, let us know.
Two other things to check:
- Is /etc/ssh/sshd_config set with "Use PAM = yes"?
- What do you have set in sssd.conf for access_provider? If you're
not using "access_provider = ldap" and the appropriate "ldap_access_order" settings, the expiration policy may not be checked.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Thanks for everyone's follow ups.
I've confirmed with the OpenLDAP group that there is just no automatic method for account locking at the server side. I guess it's something they've discussed, but never came to an agreement on, so nothing has been implemented. I'm not quite ready to throw in the towel on OpenLDAP and switch to something else. I want to try and implement something so I can at least set an account locked manually when I need to. I was hoping it would be as simple as adding a schema extension for "nsAccountLock" and setting it on a user, but that doesn't seem to be the case.
I've added a schema extension for "nsAccountLock" as a boolean and set it on my test user:
attributetype ( 1.3.6.1.4.1.21928.1.1.1.4 NAME 'nsAccountLock' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
# ldapsearch -x -ZZ cn=bviviano nsAccountLock # extended LDIF # # LDAPv3 # base <dc=epa,dc=gov> (default) with scope subtree # filter: cn=bviviano # requesting: nsAccountLock #
# bviviano, users, epa.gov dn: cn=bviviano,cn=users,dc=epa,dc=gov nsAccountLock: TRUE
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
but that user still can login with password or public keys. The messages I am seeing in my sssd domain log is:
sssd_default.log:(Tue Nov 26 08:51:35 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] sssd_default.log:(Tue Nov 26 08:51:35 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [nsAccountLock] sssd_default.log:(Tue Nov 26 08:51:35 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding nsAccountLock [TRUE] to attributes of [bviviano].
My sssd.conf has the following entries:
ldap_access_order = expire ldap_account_expire_policy = rhds
I've turned debugging on the LDAP domain and PAM to 0xFFF0 and I don't see anything else that is useful. Apparently there is something else I am missing. Short of tracing the code line by line, I thought I'd ask if someone knew what the exact fields I needed to add to LDAP to get this to work in sssd so I could set nsAccountLock and lock out a user.
Thanks,
-Brad Viviano
=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.gov
________________________________ From: sssd-devel-bounces@lists.fedorahosted.org sssd-devel-bounces@lists.fedorahosted.org on behalf of Dmitri Pal dpal@redhat.com Sent: Monday, November 25, 2013 12:46 PM To: sssd-devel@lists.fedorahosted.org Subject: Re: [SSSD] Configuring SSSD expire policy with OpenLDAP and SSH.
On 11/25/2013 12:38 PM, Viviano, Brad wrote:
Some additional information on my problem.
I've confirmed that for ssh, I am going through pam_sss.so just fine. If I set the following in my sssd.conf:
ldap_access_order = filter ldap_access_filter = (!(pwdAccountLockedTime=*))
Then the user doesn't get access if their account is locked:
$ ssh bviviano@somehost Connection closed
Since this is a filter, it can't really give the user a reason, they just get disconnected. It isn't an ideal situation, but it works. My question to the sssd developers is, am I missing something in sssd.conf that would make this work better and be more useful to the user. As I said in a previous message, I don't see anything in the manual pages or the WIKI that lists OpenLDAP/ppolicy specific configurations or even if they are supported.
Couple thoughts: 1) May be you can create a virtual attribute in OpenLDAP using some plugin/overlay that would be true/false based on the presence of the pwdAccountLockedTime. Then you would be able to point to it as an attribute rather than use a filter. 2) I do not recall this issue discussed on the list before. You might want to file an RFE. However I am not sure how soon we would be able to get to it. But help is always welcome!
Thanks, -Brad Viviano
=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.govmailto:Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.govmailto:Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.govmailto:Paulsen.Heidi@epa.gov
From: sssd-devel-bounces@lists.fedorahosted.orgmailto:sssd-devel-bounces@lists.fedorahosted.org sssd-devel-bounces@lists.fedorahosted.orgmailto:sssd-devel-bounces@lists.fedorahosted.org on behalf of Viviano, Brad Viviano.Brad@epa.govmailto:Viviano.Brad@epa.gov Sent: Monday, November 25, 2013 10:29 AM To: Development of the System Security Services Daemon Subject: Re: [SSSD] Configuring SSSD expire policy with OpenLDAP and SSH.
I turned debugging in sssd on at a high level for the LDAP section and found the following in the log when I try and login with a locked account, that has an SSH public key:
(Mon Nov 25 09:18:12 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding nsAccountLock [20131125140156Z] to attributes of [bviviano].
This directly corresponds to the pwdAccountLockedTime set on my account, which is what I set ldap_ns_account_lock to:
[root@smtools ldap]# ldapsearch -x -ZZ cn=bviviano pwdAccountLockedTime # extended LDIF # # LDAPv3 # base <dc=epa,dc=gov> (default) with scope subtree # filter: cn=bviviano # requesting: pwdAccountLockedTime #
# bviviano, users, epa.gov dn: cn=bviviano,cn=users,dc=epa,dc=gov pwdAccountLockedTime: 20131125140156Z
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
From reading, "nsAccountLock" is expecting a true/false field. OpenLDAP ppolicy doesn't seem to provide a locked/unlocked true/false in any field. It only provides pwdAccountLockedTime, which has the form of a time stamp. Is there anything in sssd.conf that would allow me to check no the value of "pwdAccountLockedTime" but if that value exists or not. I might be able to craft an LDAP filter and search on that not existing, but thought I'd ask if anyone else has been able to get OpenLDAP w/ppolicy to work with SSSD.
Thanks, -Brad Viviano
=================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696
HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi@epa.govmailto:Nair.Ravi@epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward@epa.govmailto:Jones.Durward@epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi@epa.govmailto:Paulsen.Heidi@epa.gov
From: sssd-devel-bounces@lists.fedorahosted.orgmailto:sssd-devel-bounces@lists.fedorahosted.org sssd-devel-bounces@lists.fedorahosted.orgmailto:sssd-devel-bounces@lists.fedorahosted.org on behalf of Stephen Gallagher sgallagh@redhat.commailto:sgallagh@redhat.com Sent: Monday, November 25, 2013 7:20 AM To: Development of the System Security Services Daemon Subject: Re: [SSSD] Configuring SSSD expire policy with OpenLDAP and SSH.
On 11/24/2013 04:19 PM, Jakub Hrozek wrote:
On Fri, Nov 22, 2013 at 03:16:16PM -0500, Dmitri Pal wrote:
On 11/22/2013 02:51 PM, Viviano, Brad wrote:
Hello, I've searched extensively and haven't found an answer to this. I have a RHEL6.4 system running slapd version 2.4.23-32.el6_4.1 with sssd version 1.9.2-82.11.el6_4. I've configured OpenLDAP to use ppolicy. Everything (password expires, account locked, grace periods, etc) is working beautifully if the user logs in with their password. But if they have an SSH public key, then even if the account in OpenLDAP is locked, the user can still login. I can't seem to find a FAQ on configuring OpenLDAP and SSSD in regards to ppolicy settings for this case. I hope I am just missing something simple. Any suggestions or pointers would be much appreciated.
You want to use account policies when log using SSH keys?
I am not an expert so I am not sure exactly how to do or whether it is possible but I think you need to make sure that when you log into the system via SSH the PAM accounting phase is performed. Please check SSH config to invoke pam accounting for access control checks then you can use SSSD in the pam stack and use its access control provider configuration for LDAP to do the checks. At least this is the direction I would try to dig.
HTH Dmitri
Dmitri is completely right.
When you log in with your public key the authentication is performed by sshd, so the SSSD's pam_sss doesn't come to play in the authentication.
Some password policies (eg shadow) would be possible to check later during the account phase, but typically the expiration data is returned by the LDAP server during authentication, so this solution wouldn't be generic.
Also, by using public keys, you are logging in with another authentication token then your password, so it would seem strange a bit to warn about password properties.
Account expiration is a different matter than password policy. Expiration should always be checked during account phase. I'm not sure which mechanism is most prevalent in OpenLDAP deployments, but please check the sssd-ldap man page, option 'ldap_account_expire_policy'. If there is some widely used overlay or other mechanism which is not supported by the SSSD, let us know.
Two other things to check:
1) Is /etc/ssh/sshd_config set with "Use PAM = yes"? 2) What do you have set in sssd.conf for access_provider? If you're not using "access_provider = ldap" and the appropriate "ldap_access_order" settings, the expiration policy may not be checked.
sssd-devel mailing list sssd-devel@lists.fedorahosted.orgmailto:sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.orgmailto:sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.orgmailto:sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
-- Thank you, Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/
sssd-devel@lists.fedorahosted.org
-
Dmitri Pal -
Jakub Hrozek -
Stephen Gallagher -
Viviano, Brad