[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enable/Disable user account in openLDAP

To: Christian Manal <moenoel@informatik.uni-bremen.de>
Subject: Re: Enable/Disable user account in openLDAP
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 21 Nov 2011 15:59:01 +0100
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1321887553; l=803; s=domk; d=stroeder.de; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References: Subject:CC:To:MIME-Version:From:Date:X-RZG-CLASS-ID:X-RZG-AUTH; bh=TMbbOiuPBrYXJFXq1ws25V9NaIg=; b=UFE8jpvs1YW3TtPegMORIaXPwGoxq0qscqqoLX4PJB5mh7HMyZ1wE2hZG2IYvRr8g0+ LfFSLgAx8OdsiJFjis9i6/jeuNvHsZAytFv1jhmNTzsH/n2Za46K5A08iGcmwy2ko/vg7 7q2WNiPiNIUjcNYeIBpD+J0k8I26RfIvb5M=
In-reply-to: <4ECA5D7D.3080400@informatik.uni-bremen.de>
References: <CAPDKCfcivHEqgUOsgqbKY-ppCrYrd61g5eC6AvQ1YZhyGizKGw@mail.gmail.com> <4ECA5D7D.3080400@informatik.uni-bremen.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20110928 Firefox/7.0.1 SeaMonkey/2.4.1

Christian Manal wrote:
> Am 21.11.2011 14:25, schrieb Jayavant Patil:
>> Hi,
>>
>>    I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know how
>> to enable/disable a user account in openLDAP?  I know ppolicy overlay but I
>> don't require this password based locking.
> 
> we lock UNIX/Samba/Kerberos accounts in our system by "invalidating" the
> userPassword (i.E. putting some random string before the '{HASH}' part),
> settings the loginShell to '/bin/false' and putting the 'D' flag in
> sambaAcctFlags.

With this approach you cannot re-enable an account without going through a
passwort reset process. This might be ok in your deployment but it's not what
temporay disabling a user is about.

I usually do this with ACLs for userPassword attribute.

Ciao, Michael.

Follow-Ups:
- Re: Enable/Disable user account in openLDAP
  - From: Christian Manal <moenoel@informatik.uni-bremen.de>

References:
- Enable/Disable user account in openLDAP
  - From: Jayavant Patil <jayavant.patil82@gmail.com>
- Re: Enable/Disable user account in openLDAP
  - From: Christian Manal <moenoel@informatik.uni-bremen.de>

Prev by Date: Re: Enable/Disable user account in openLDAP
Next by Date: slapo-rwm and NAME aliases
Index(es):
- Chronological
- Thread