[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: disabling user account

To: Liam Gretton <liam.gretton@leicester.ac.uk>, openldap-technical@openldap.org
Subject: Re: disabling user account
From: Howard Chu <hyc@symas.com>
Date: Fri, 19 Apr 2013 09:20:21 -0700
In-reply-to: <51716902.7060406@leicester.ac.uk>
References: <63330A6F-AD9C-42A0-860E-D3DFC5C387EE@icare.com> <51716902.7060406@leicester.ac.uk>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 SeaMonkey/2.19a1

Liam Gretton wrote:

On 16/04/2013 19:49, Jignesh Patel wrote:

Does openldap has a provision like active directory to disable a user?

useraccountcontrol 544


At our site I created a new attribute 'globalLock' for every account and
filter on that at the service end. For example in /etc/ldap.conf for PAM:

pam_filter  (globalLock=off)

Enabled users get globalLock set to 'off'. Any other value will lock the
user out.

It's simple enough to use in Apache and other applications too.

Better to do this in a slapd ACL and enforce from the server side, than torely on correctness of multiple clients.


	access to attrs=userpassword filter=(globalLock=off)
		by anonymous auth


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: disabling user account
  - From: Liam Gretton <liam.gretton@leicester.ac.uk>

References:
- disabling user account
  - From: Jignesh Patel <jignesh@icare.com>
- Re: disabling user account
  - From: Liam Gretton <liam.gretton@leicester.ac.uk>

Prev by Date: Re: disabling user account
Next by Date: Re: disabling user account
Index(es):
- Chronological
- Thread