Liam Gretton wrote:
> On 16/04/2013 19:49, Jignesh Patel wrote:
>> Does openldap has a provision like active directory to disable a user?
>>
>> useraccountcontrol 544
>
> At our site I created a new attribute 'globalLock' for every account and
> filter on that at the service end. For example in /etc/ldap.conf for PAM:
>
> pam_filter (globalLock=off)
>
> Enabled users get globalLock set to 'off'. Any other value will lock the user
> out.
>
> It's simple enough to use in Apache and other applications too.
The downside is that you have to configure it in each system.
This is not always possible.
I usually have an ACL like this for active human user's passwords which
1. allows all users to login,
2. grants write-only access for admins and
3. grants write-only access for the user himself.
access to
dn.onelevel="ou=People,dc=example,dc=com"
attrs=userPassword
filter=(&(objectClass=inetOrgPerson)(organizationalStatus=0))
by group="cn=Admins,ou=Groups,dc=example,dc=com" =wx
by self =wx
by * auth
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature