[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: disabling user account



Liam Gretton wrote:
> On 16/04/2013 19:49, Jignesh Patel wrote:
>> Does openldap has a provision like active directory to disable a user?
>>
>> useraccountcontrol 544
> 
> At our site I created a new attribute 'globalLock' for every account and
> filter on that at the service end. For example in /etc/ldap.conf for PAM:
> 
> pam_filter  (globalLock=off)
> 
> Enabled users get globalLock set to 'off'. Any other value will lock the user
> out.
> 
> It's simple enough to use in Apache and other applications too.

The downside is that you have to configure it in each system.
This is not always possible.

I usually have an ACL like this for active human user's passwords which
1. allows all users to login,
2. grants write-only access for admins and
3. grants write-only access for the user himself.

access to
  dn.onelevel="ou=People,dc=example,dc=com"
  attrs=userPassword
  filter=(&(objectClass=inetOrgPerson)(organizationalStatus=0))
    by group="cn=Admins,ou=Groups,dc=example,dc=com" =wx
    by self =wx
    by * auth

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature