[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enable/Disable user account in openLDAP



Am 21.11.2011 15:59, schrieb Michael Ströder:
> Christian Manal wrote:
>> Am 21.11.2011 14:25, schrieb Jayavant Patil:
>>> Hi,
>>>
>>>    I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know how
>>> to enable/disable a user account in openLDAP?  I know ppolicy overlay but I
>>> don't require this password based locking.
>>
>> we lock UNIX/Samba/Kerberos accounts in our system by "invalidating" the
>> userPassword (i.E. putting some random string before the '{HASH}' part),
>> settings the loginShell to '/bin/false' and putting the 'D' flag in
>> sambaAcctFlags.
> 
> With this approach you cannot re-enable an account without going through a
> passwort reset process.


Yes you can. For example, I change userPassword for a user from

   userPassword: {SSHA}srR7zMWHgzmz6t68TodubAzNfexsL6em

to

   userPassword: foobar{SSHA}srR7zMWHgzmz6t68TodubAzNfexsL6em

The password will now be interpreted as clear text. The user would have
to know the hash for his password and the random 'foobar' part, to log
in. To re-enable the password, I simply remove everything before '{SSHA}'.


Regards,
Christian Manal