On 28/11/2013 08:56, Turbo Fredriksson wrote:
On Nov 28, 2013, at 9:30 AM, Liam Gretton wrote:Now I use a custom 'lock' attribute on all accounts and use a LDAP filter at the client end. This is fine for our purposes but could be a problem for appliances that don't provide much in the way of LDAP configuration options.I've used something similar to limit access on host level, but if I remember correctly, such a filter would hide the account from the system, not only lock it... ?
No, this is PAM configuration, not NSS.You can use 'pam_filter' in the PAM LDAP module to filter on an attribute's value. For NSS there's a similar 'filter' option but as long as that's not changed the user won't disappear.
-- Liam Gretton liam.gretton@le.ac.uk Systems Specialist http://www.le.ac.uk/its IT Services Tel: +44 (0)116 2522254 University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom