Hello
I am nearly finished building new LDAP cluster using SSSD for clients.
I have a password policy set which will lock out accounts upon bind failure:
dn: ou=Policies,dc=blah ou: Policies objectClass: organizationalUnit
dn: cn=passwordDefault,ou=Policies,dc=blah objectClass: pwdPolicy objectClass: person objectClass: top cn: passwordDefault sn: passwordDefault pwdAttribute: userPassword pwdCheckQuality: 0 pwdMinAge: 0 pwdMaxAge: 365 pwdMinLength: 15 pwdInHistory: 5 pwdMaxFailure: 3 pwdFailureCountInterval: 0 pwdLockout: TRUE pwdLockoutDuration: 0 pwdAllowUserChange: TRUE pwdExpireWarning: 320 pwdGraceAuthNLimit: 0 pwdMustChange: TRUE pwdSafeModify: FALSE
I am using an account for binding with LDAP since my OpenLDAP ACLs disallow anon binds. My concern about this is that if a malicious user was to start attempting binds with the bind account, then they could lock out this important user thus bring down SSSD binding for all of my clients. I do not want.
sssd.conf:
ldap_uri = ldaps://provider ldap_backup_uri = ldaps://consumer ldap_default_bind_dn = uid=user,ou=sysadmin,dc=blah ldap_default_authtok_type = password ldap_default_authtok = longpass ldap_search_base = dc=blah ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/sha2bundle.cer
This should probably be sent to another list though anyone know if its possible to exempt a single user from the above password policy so that pwdLockout would not apply?
Thanks Doug
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
On (12/12/16 15:38), Douglas Duckworth wrote:
Hello
I am nearly finished building new LDAP cluster using SSSD for clients.
I have a password policy set which will lock out accounts upon bind failure:
dn: ou=Policies,dc=blah ou: Policies objectClass: organizationalUnit
dn: cn=passwordDefault,ou=Policies,dc=blah objectClass: pwdPolicy objectClass: person objectClass: top cn: passwordDefault sn: passwordDefault pwdAttribute: userPassword pwdCheckQuality: 0 pwdMinAge: 0 pwdMaxAge: 365 pwdMinLength: 15 pwdInHistory: 5 pwdMaxFailure: 3 pwdFailureCountInterval: 0 pwdLockout: TRUE pwdLockoutDuration: 0 pwdAllowUserChange: TRUE pwdExpireWarning: 320 pwdGraceAuthNLimit: 0 pwdMustChange: TRUE pwdSafeModify: FALSE
I am using an account for binding with LDAP since my OpenLDAP ACLs disallow anon binds. My concern about this is that if a malicious user was to start attempting binds with the bind account, then they could lock out this important user thus bring down SSSD binding for all of my clients. I do not want.
sssd.conf:
ldap_uri = ldaps://provider ldap_backup_uri = ldaps://consumer ldap_default_bind_dn = uid=user,ou=sysadmin,dc=blah ldap_default_authtok_type = password ldap_default_authtok = longpass ldap_search_base = dc=blah ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/sha2bundle.cer
This should probably be sent to another list though anyone know if its possible to exempt a single user from the above password policy so that pwdLockout would not apply?
I assume that other users are in different tree and not in ou=sysadmin,dc=blah. They would need to guess default bind DN because only root can raed sssd.conf otherwisee sssd would not start.
And if you are really worry about password policy for bind account then you can use custom policy for this account.
dn: uid=user,ou=sysadmin,dc=blah objectClass: account objectClass: posixAccount cn: user uidNumber: 12345 gidNumber: 12345 userPassword: {SSHA}aaaaaaaaaaaaaaaaaaaaaaaaaa objectClass: pwdPolicy pwdAttribute: userPassword pwdPolicySubentry: cn=customBindAccoundPolicy,ou=policies,$DS_BASE_DN
I didn't test that.
BTW you needn't use ldaps in ldap_uri because sssd would use start_tls anyway for bind and there are known issues with ldaps and failover.
LS
sssd-users@lists.fedorahosted.org