On Tue, Nov 29, 2016 at 03:40:26AM -0000, kevin4sullivan(a)gmail.com wrote:
What is the SSSD approach to allowing a user to only login when its
backend if offline?
I'm not aware of anything readily available.
I currently have an OpenLDAP server that I authenticate against via SSSD
and PAM to login. Normally, I can log into my machines with the accounts
stored in LDAP, however, I would like to still be able to log into those
machines even if my LDAP server is not online. I want to have an emergency
user that is able to login when LDAP is not online, but I don't want the
emergency user to be able to log in when LDAP is online. I don't want to
cache credentials and I can't guarantee that the account will have been
used to login before LDAP is offline.
Please note that the credential caching does not actually cache
plaintext passwords, but only password hashes. Moreover, the cache is
only accessible to the root user.
Here is an example from my test machine:
# ldbsearch -H /var/lib/sss/db/cache_ipa.test.ldb name=u2(a)ipa.test cachedPassword
# record 1
> What I am currently doing that doesn't work is having a locked account in LDAP
for the emergency user. So if someone tries to login as the emergency user it will fail.
The emergency user is disabled by the setting `ldap_access_order` to `expire`.
Unfortunately, when LDAP is offline, the emergency user still has the locked attribute
since the user's attributes are cached. So the emergency user still fails to login.
> So my questions are:
> 1. SSSD is caching my user information (not credentials) when my LDAP server is
offline. Is there a way to not cache user information or drop it after a set amount of
> I don't think there is a way, but I want to ask. I also don't think that this
is the SSSD mindset, which leads to my next question.
> 2. What is the SSSD way to allow a user to only login when its backend is offline?
> Is there a way to do special things when a backend if offline? Instead of locking the
account through a client-side 'access' check, should I be doing this through a
server-side mechanism? Am I missing something incredibly obvious? Is this just a stupid
approach to begin with?
> I am sure there is a good way to do this, I just don't know enough to figure it
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org