[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enable/Disable user account in openLDAP



Christian Manal wrote:
> Am 21.11.2011 15:59, schrieb Michael Ströder:
>> Christian Manal wrote:
>>> Am 21.11.2011 14:25, schrieb Jayavant Patil:
>>>> Hi,
>>>>
>>>>    I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know how
>>>> to enable/disable a user account in openLDAP?  I know ppolicy overlay but I
>>>> don't require this password based locking.
>>>
>>> we lock UNIX/Samba/Kerberos accounts in our system by "invalidating" the
>>> userPassword (i.E. putting some random string before the '{HASH}' part),
>>
>> With this approach you cannot re-enable an account without going through a
>> passwort reset process.
> 
> Yes you can. For example, I change userPassword for a user from
> 
>    userPassword: {SSHA}srR7zMWHgzmz6t68TodubAzNfexsL6em
> 
> to
> 
>    userPassword: foobar{SSHA}srR7zMWHgzmz6t68TodubAzNfexsL6em
> 
> The password will now be interpreted as clear text. The user would have
> to know the hash for his password and the random 'foobar' part, to log
> in. To re-enable the password, I simply remove everything before '{SSHA}'.

No doubt: With IT everything is possible - everything...but if it makes sense
is another question.

While this might work for you with custom code having ACLs for userPassword is
the much cleaner approach without having to mess with password values and
without having to any write custom code:

In this example organizationalStatus=0 means active:

access to
  attrs=userPassword
  filter=(&(objectClass=inetOrgPerson)(!(organizationalStatus=0)))
    by group="cn=Admins,ou=Groups,ou=example" =wx
    by group="cn=Replicas,ou=Groups,ou=example" read
    by * none

access to
  attrs=userPassword
  filter=(&(objectClass=inetOrgPerson)(organizationalStatus=0))
    by group="cn=Admins,ou=Groups,ou=example" =swx
    by group="cn=Replicas,ou=Groups,ou=example" read
    by self =wx
    by * =x

Ciao, Michael.