[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to disable or enable an ldap user account



On Tuesday 21 October 2008 15:39:25 Almir Karic wrote:
> On Mon, Oct 20, 2008 at 4:37 PM, Bill Jorgensen
>
> <Bill.Jorgensen@eim-usa.com> wrote:
> > I would need a little more information to help you. I have been working
> > LDAP within AIX so I know that pretty well...
>
> what i'd like to know is how to disable an account so you can't bind
> as disabled user, while if i change my mind you can still bind as that
> user (with the old password).  any hints?

To achieve this (and not rely on shadowAccount etc.), you probably need to use 
the OopenLDAP ppolicy overlay, and lock the user out with the 
pwdAccountLockedTime attribute.

E.g.:

$ read -s -p 'LDAP Password: ' LDAPPASS
LDAP Password: 
$ ldapwhoami -x -D uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -w 
$LDAPPASS
dn:uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com

Lock the user out:
# TZ=Z date "+%Y%m%d%H%M%SZ"
20081021135537Z
# ldapmodify
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
add: pwdAccountLockedTime
pwdAccountLockedTime: 20081021135537Z

modifying entry "uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com"

Try and bind now:
$ ldapwhoami -x -D uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -w 
$LDAPPASS
ldap_bind: Invalid credentials (49)


Unlock the account:
# ldapmodify
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
delete: pwdAccountLockedTime

modifying entry "uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com"

Bind again:
$ ldapwhoami -e ppolicy -x -D 
uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -w $LDAPPASS
dn:uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com


The configuration required for this:

(if this is not your default policy)

$ ldapsearch -LLL -x "(uid=bgmilne)" pwdPolicySubEntry
dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
pwdPolicySubentry: cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=co
 m

$ ldapsearch -LLL -x -s base -b 'cn=default,ou=Password 
Policies,dc=ranger,dc=dnsalias,dc=com'
dn: cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=com
cn: default
objectClass: pwdPolicy
objectClass: namedObject
pwdAttribute: userPassword
pwdLockout: TRUE
pwdMustChange: TRUE
pwdExpireWarning: 604800
pwdMaxFailure: 3
pwdGraceAuthNLimit: 5
pwdMinLength: 6
pwdMaxAge: 1800


# grep ppolicy /etc/openldap/slapd.conf
include /usr/share/openldap/schema/ppolicy.schema
moduleload      ppolicy.la
overlay ppolicy
ppolicy_default "cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=com"


(overlay ppolicy and ppolicy_default need to be in the database section)


Regards,
Buchan