[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enable/Disable user account in openLDAP



Christian Manal wrote:
> Am 21.11.2011 14:25, schrieb Jayavant Patil:
>> Hi,
>>
>>    I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know how
>> to enable/disable a user account in openLDAP?  I know ppolicy overlay but I
>> don't require this password based locking.
> 
> we lock UNIX/Samba/Kerberos accounts in our system by "invalidating" the
> userPassword (i.E. putting some random string before the '{HASH}' part),
> settings the loginShell to '/bin/false' and putting the 'D' flag in
> sambaAcctFlags.

With this approach you cannot re-enable an account without going through a
passwort reset process. This might be ok in your deployment but it's not what
temporay disabling a user is about.

I usually do this with ACLs for userPassword attribute.

Ciao, Michael.