Liam Gretton wrote: > On 16/04/2013 19:49, Jignesh Patel wrote: >> Does openldap has a provision like active directory to disable a user? >> >> useraccountcontrol 544 > > At our site I created a new attribute 'globalLock' for every account and > filter on that at the service end. For example in /etc/ldap.conf for PAM: > > pam_filter (globalLock=off) > > Enabled users get globalLock set to 'off'. Any other value will lock the user > out. > > It's simple enough to use in Apache and other applications too. The downside is that you have to configure it in each system. This is not always possible. I usually have an ACL like this for active human user's passwords which 1. allows all users to login, 2. grants write-only access for admins and 3. grants write-only access for the user himself. access to dn.onelevel="ou=People,dc=example,dc=com" attrs=userPassword filter=(&(objectClass=inetOrgPerson)(organizationalStatus=0)) by group="cn=Admins,ou=Groups,dc=example,dc=com" =wx by self =wx by * auth Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature