4 Replies Latest reply: Jun 9, 2009 9:59 PM by 807573 RSS

    LDAP Account locking

    807573
      Hi all,

      I have a new installation of Solaris 10 GA (on X86), together with Directory Server. I have LDAP working fine and dandy with zones contacting the global zone for LDAP information. That all works fine.

      One thing I cannot get working is to block ssh connections if I inactivate the LDAP account. I can write a small perl script, which returns that the account is locked, I can do an 'ldapsearch' that shows that the 'nsaccountlock' attribute is set, but I can still ssh into the zone as that user.

      Has anyone got this to work? I can post more info (pam.conf for example) if needed, but I thought I'd keep the message small until someone can help.

      Thanks.
        • 1. Re: LDAP Account locking
          807573
          Never mind...funny how you always get "inspiration" after you ask for help ;-)

          It's all sorted now....account locking works a charming through LDAP.
          • 2. Re: LDAP Account locking
            807573
            It would be great to know the answer....

            thanks
            • 3. Re: LDAP Account locking
              807573
              Same problem: inactivated accounts on DS still able to login through ssh
              • 4. Re: LDAP Account locking
                807573
                I'd love to know the solution ... because I have exactly the same problem, running Sun Java Directory Server Enterprise Edition 6.3.1 on Solaris 10 5/08.

                Everything seems to be working with my LDAP configuration, except accounts can still login via ssh even when the account is deactivated (nsAccountLock: true) or expired (pwdChangedTime older than pwdMaxAge). But ssh correctly stops the user logging in when the account is 'locked out' due to too many invalid login attempts!

                Three cases of the LDAP server showing clear errors on the attempted BIND of the user trying to login ... but ssh ignores two and logs in anyway.

                When the account has 'nsAccountLock' set to true I see this failed BIND in the LDAP log:

                [09/Jun/2009:16:15:03 +1000] conn=2946 op=0 msgId=1 - BIND dn="uid=testuser,ou=people,ou=unix,dc=..." method=128 version=3
                [09/Jun/2009:16:15:03 +1000] conn=2946 op=0 msgId=1 - RESULT err=53 tag=97 nentries=0 etime=0, Account inactivated. Contact system administrator.

                ...but ssh still logs the user in.

                When the account has an expired password I see this failed BIND:

                [09/Jun/2009:16:12:29 +1000] conn=2938 op=0 msgId=1 - BIND dn="uid=testuser,ou=people,ou=unix,dc=..." method=128 version=3
                [09/Jun/2009:16:12:29 +1000] conn=2938 op=0 msgId=1 - RESULT err=49 tag=97 nentries=0 etime=0, password expired!

                ... but ssh still logs the user in.

                But when the account is temporarily locked out, due to the user entering too many bad passwords too fast, I see this failed BIND:

                [09/Jun/2009:16:17:00 +1000] conn=2959 op=0 msgId=1 - BIND dn="uid=testuser,ou=people,ou=unix,dc=..." method=128 version=3
                [09/Jun/2009:16:17:00 +1000] conn=2959 op=0 msgId=1 - RESULT err=19 tag=97 nentries=0 etime=0, Exceed password retry limit. Account locked.

                ... and ssh does the proper thing in this case and refuses to allow the user to login.

                Failed BINDs in each of the three cases, with different error codes - err=53, 49, 19 - but ssh only takes note of one of them. But that fact that it does take note of the 'err=19' failed BIND for a locked-out account would mean that pam.conf and such are set up correctly ... I would have thought?

                I'm totally flummoxed as to why this is happening. Any help or hints would most gratefully received!!

                (I wish 'Shellprompt_Hosting' had shared his "working like a charm" solution!!!)