[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: About locked LDAP user

2010/11/22 Gary.jsz <gary.jsz@gmail.com>:
> Hi,ALL
>     I'm new openLDAP user. But now, I have a problem about LDAP user
> manager.
>     I want stop a specify user in LDAP system,but I don't want to delete
> this user and change the user's password.
>     How to locked this user?    such as Linux system "passwd -l xxx" to
> locked system users.
>     Help me,please!

LDAP is just a storage system with a simple fast protocol, it really
doesn't perform any actions per-se except for the storage and
retrieval of information organized in a directory tree.

Therefore, blocking a user is not the task of ldap directly, but of
your authentication system which is somehow integrated to ldap. In the
case of *nix it's probably PAM that is authenticating the users, and
it is PAM, based on certain criteria that will decide to allow access
or not. This criteria on a stand-alone *nix system comes from the auth
files such as passwd, shadow or others, but when PAM is integrated
with LDAP, it then looks for the criteria in the directory instead of
the local files.

So, in effect you will block the user if you modify the data in ldap
but it is PAM that is actually doing the blocking, based on a piece of
information that you modified. The specifics of your problem depend on
how your authentication system works, and what attributes it uses to
determine the authentication, blocking, password change policies,
hours of entry, etc.


Alejandro Imass