This content has been marked as final. Show 4 replies
Never mind...funny how you always get "inspiration" after you ask for help ;-)
It's all sorted now....account locking works a charming through LDAP.
It would be great to know the answer....
Same problem: inactivated accounts on DS still able to login through ssh
I'd love to know the solution ... because I have exactly the same problem, running Sun Java Directory Server Enterprise Edition 6.3.1 on Solaris 10 5/08.
Everything seems to be working with my LDAP configuration, except accounts can still login via ssh even when the account is deactivated (nsAccountLock: true) or expired (pwdChangedTime older than pwdMaxAge). But ssh correctly stops the user logging in when the account is 'locked out' due to too many invalid login attempts!
Three cases of the LDAP server showing clear errors on the attempted BIND of the user trying to login ... but ssh ignores two and logs in anyway.
When the account has 'nsAccountLock' set to true I see this failed BIND in the LDAP log:
[09/Jun/2009:16:15:03 +1000] conn=2946 op=0 msgId=1 - BIND dn="uid=testuser,ou=people,ou=unix,dc=..." method=128 version=3
[09/Jun/2009:16:15:03 +1000] conn=2946 op=0 msgId=1 - RESULT err=53 tag=97 nentries=0 etime=0, Account inactivated. Contact system administrator.
...but ssh still logs the user in.
When the account has an expired password I see this failed BIND:
[09/Jun/2009:16:12:29 +1000] conn=2938 op=0 msgId=1 - BIND dn="uid=testuser,ou=people,ou=unix,dc=..." method=128 version=3
[09/Jun/2009:16:12:29 +1000] conn=2938 op=0 msgId=1 - RESULT err=49 tag=97 nentries=0 etime=0, password expired!
... but ssh still logs the user in.
But when the account is temporarily locked out, due to the user entering too many bad passwords too fast, I see this failed BIND:
[09/Jun/2009:16:17:00 +1000] conn=2959 op=0 msgId=1 - BIND dn="uid=testuser,ou=people,ou=unix,dc=..." method=128 version=3
[09/Jun/2009:16:17:00 +1000] conn=2959 op=0 msgId=1 - RESULT err=19 tag=97 nentries=0 etime=0, Exceed password retry limit. Account locked.
... and ssh does the proper thing in this case and refuses to allow the user to login.
Failed BINDs in each of the three cases, with different error codes - err=53, 49, 19 - but ssh only takes note of one of them. But that fact that it does take note of the 'err=19' failed BIND for a locked-out account would mean that pam.conf and such are set up correctly ... I would have thought?
I'm totally flummoxed as to why this is happening. Any help or hints would most gratefully received!!
(I wish 'Shellprompt_Hosting' had shared his "working like a charm" solution!!!)