On (15/04/15 12:37), Olivier wrote:
>> My current policy is the following :
>> - All my users must have a password in ldap (that is used by
>> applications other than ssh)
>> - not all my users may have an ssh key (some never use ssh)
>> Everything works as I want.
>I realize that with my tuning ssh behave as such:
>* if the user has no key in ldap then ssh ask for a login password
>* if the user has a correct key in ldap then ssh grant access and
> don't ask for any login/password
>* if the user has an incorrect key in ldap then ssh swithch to the
> login/password authentication process.
>That means that if a bad sshkey is returned by
>"sss_ssh_authorizedkeys", then ppolicy will be checked and
>updated if necessary through the "login / password" process.
>May be that could help : with a given flag "sss_ssh_authorizedkeys"
>could simply refuse to return the key in case of a "ppolicy issue".
Your requirements seems to be similar as in tickets:
The first feature is available in sssd-1.11
and the second one was recently added to sssd-1.12
Here is a sample config
services = nss, pam
config_file_version = 2
domains = LDAP
debug_level = 0xfff0
ldap_search_base = $DS_BASE_DN
id_provider = ldap
ldap_uri = ldap://$SERVER
cache_credentials = True
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
access_provider = ldap
ldap_access_order = lockout
ldap_pwdlockout_dn = cn=pwdconfig,ou=policies,$DS_BASE_DN
You can read more details in manual page sssd-ldap -> ldap_access_order
sssd-users mailing list