Return to Question

edited tags

Link

edited Aug 19 at 15:26

muru

78.4k
16
214
321

Source Link

asked Aug 19 at 11:14

U. Windl

1.8k
16
34

When authenticating using keys, can OpenSSH handle LDAP policies (locked and idle users) also?

Most of the users are from an OpenDAP server, and users log in via SSH. Some users use a key to log in, some use a password.

I have set up a password policy for LDAP, so users may become locked in LDAP (by policy).

So I wonder: Can I make OpenSSH deny key logins for users that are locked in LDAP?

Likewise: OpenLDAP handles the date of last successful authentication (authTimestamp or pwdLastSuccess) to detect "idle" accounts; can I make OpenSSH to update these attributes when authenticating via key (so that the accounts won't be locked due to being "idle")?

As i understand it, OpenSSH would have to authenticate against LDAP to make the server update the attributes. Probably not possible, but anyway...

openssh openldap password-policy