Re: Enable/Disable user account in openLDAP

[Christian Manal <moenoel@informatik.uni-bremen.de>]

Am 22.11.2011 11:25, schrieb Buchan Milne:
> On Monday, 21 November 2011 16:17:33 Christian Manal wrote:
>> Am 21.11.2011 14:25, schrieb Jayavant Patil:
>>> Hi,
>>>
>>>    I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know
>>>    how
>>>
>>> to enable/disable a user account in openLDAP?  I know ppolicy overlay but
>>> I don't require this password based locking.
>>>
>>>    Thanks in advance.
>>
>> Hi,
>>
>> we lock UNIX/Samba/Kerberos accounts in our system by "invalidating" the
>> userPassword (i.E. putting some random string before the '{HASH}' part),
>> settings the loginShell to '/bin/false' and putting the 'D' flag in
>> sambaAcctFlags.
>>
>> Scrambling userPassword will prevent logins based on simple bind,
>> changing the loginShell prevents PublicKey logins
> 
> No, it prevents starting a shell by ssh with public key, it doesn't prevent 
> access which does not spawn a shell (such as ssh tunnel).

I know it's not perfect, but it's good enough for us.


>> and 'D' in
>> sambaAcctFlags disables logins with Samba and Heimdal Kerberos.
> 
> But if you use anything else that uses Samba's password hashes (such as 
> FreeRADIUS with mschap), that won't lock the user out.

That's right. Luckily, we don't have anything like that. If it ever
comes around, I can still modify my ACLs.


> IMHO, there is currently no convenient complete solution.

Agreed.


Regards,
Christian Manal