[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question on best way to partially disable users


On 11-09-02 12:55 PM, Dan White wrote:
On 02/09/11 12:38 -0700, Ski Kacoroski wrote:
I have an openldap server that several applications use for
authenication. What we need to do is when a person is disabled, we
need to disable access for that user for all applications but one
(employeeonline). My first thought was simply to move the disabled
person to a different OU (e.g. ou=eoonly,dc=... instead of
ou=people,dc=...). The problem I am running into is that
employeeonline is windows/vbscript that uses SASL to bind which means
that I cannot just move the user to a different OU as they are always
coming in as sasl-realm OL.NSD.ORG. Does any one have a good trick for
how to do this? So far all I have come up with is:

1. Bind as a admin user and then check the user's password instead of
binding as the user.

2. Figure out someway for vbscript to bind as a different SASL realms.

Use a search based mapping like:


which should (sasl) authenticate the user regardless of which subtree they
exist in, underneath dc=example,dc=net.


Thanks so very, very much.  This worked perfectly.


"When we try to pick out anything by itself, we find it
 connected to the entire universe"            John Muir

Chris "Ski" Kacoroski, Unix Admin, NSD
206-501-9803, ski98033 on IRC and most IM services