Re: Enable/Disable user account in openLDAP

[Christian Manal <moenoel@informatik.uni-bremen.de>]

Am 21.11.2011 18:52, schrieb Michael Ströder:
> Christian Manal wrote:
>> As for custom code, I already need that to change the other attributes I
>> mentioned, plus some from a homebrew schema. So, at least for my
>> environment, it doesn't really matter.
> 
> You can make the other attributes invisible by ACL too...


Yeah, I could restrict access to the appropriate Samba and Kerberos
attributes. But if I "hide" loginShell, users will just get a default
shell and therefore still be able to login via ssh public key. So I
either set an invalid shell or change permissions for the keyfiles in
their home directory. Both require custom code and by changing the
shell, I keep everything inside LDAP.

And as I said, I have a custom schema in my DIT that needs some
attributes set for locked accounts, so I need custom code anyway. And
since everything that doesn't use simple bind in my environment honors
the 'D' flag in sambaAcctFlags, it is imho just as clean as using ACLs,
for those applications.


Regards,
Christian Manal