Many thanks Lukas : very interesting.

I look at this.


2015-04-15 13:40 GMT+02:00 Lukas Slebodnik <>:
On (15/04/15 12:37), Olivier wrote:
>> My current policy is the following :
>> - All my users must have a password in ldap (that is used by
>>  applications other than ssh)
>> - not all my users may have an ssh key (some never use ssh)
>> Everything works as I want.
>I realize that with my tuning ssh behave as such:
>* if the user has no key in ldap then ssh ask for a login password
>* if the user has a correct key in ldap then ssh grant access and
>   don't ask for any login/password
>* if the user has an incorrect key in ldap then ssh swithch to the
>   login/password authentication process.
>That means that if a bad sshkey is returned by
>"sss_ssh_authorizedkeys", then ppolicy will be checked and
>updated if necessary through the "login / password" process.
>May be that could help : with a given flag "sss_ssh_authorizedkeys"
>could simply refuse to return the key in case of a "ppolicy issue".

Your requirements seems to be similar as in tickets:

The first feature is available in sssd-1.11
and the second one was recently added to sssd-1.12

Here is a sample config
    services = nss, pam
    config_file_version = 2
    domains = LDAP

    debug_level = 0xfff0
    ldap_search_base = $DS_BASE_DN
    id_provider = ldap
    ldap_uri = ldap://$SERVER
    cache_credentials = True
    ldap_tls_cacert = /etc/openldap/certs/cacert.asc
    access_provider = ldap
    ldap_access_order = lockout
    ldap_pwdlockout_dn = cn=pwdconfig,ou=policies,$DS_BASE_DN

You can read more details in manual page sssd-ldap -> ldap_access_order

sssd-users mailing list