[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: disabling user account



Liam Gretton wrote:
> On 19/04/2013 17:20, Howard Chu wrote:
> 
>> Better to do this in a slapd ACL and enforce from the server side, than to
>> rely on correctness of multiple clients.
>>
>>     access to attrs=userpassword filter=(globalLock=off)
>>         by anonymous auth
> 
> We don't use LDAP for passwords, and that wouldn't prevent SSH key logins either.

You could (or better should) easily extend this ACL-based approach to whole
user entries.
Use your imagination. Actually I'm doing this all the time.

> Also we trust our client config just as much as our LDAP config.

I often have to deal with clients where I can't set a filter in client
configuration at all. Usually some appliances are a nightmare to configure.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature