[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enable/Disable user account in openLDAP



Am 21.11.2011 18:21, schrieb Michael Ströder:
> Christian Manal wrote:
>> Am 21.11.2011 15:59, schrieb Michael Ströder:
>>> Christian Manal wrote:
>>>> Am 21.11.2011 14:25, schrieb Jayavant Patil:
>>>>> Hi,
>>>>>
>>>>>    I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know how
>>>>> to enable/disable a user account in openLDAP?  I know ppolicy overlay but I
>>>>> don't require this password based locking.
>>>>
>>>> we lock UNIX/Samba/Kerberos accounts in our system by "invalidating" the
>>>> userPassword (i.E. putting some random string before the '{HASH}' part),
>>>
>>> With this approach you cannot re-enable an account without going through a
>>> passwort reset process.
>>
>> Yes you can. For example, I change userPassword for a user from
>>
>>    userPassword: {SSHA}srR7zMWHgzmz6t68TodubAzNfexsL6em
>>
>> to
>>
>>    userPassword: foobar{SSHA}srR7zMWHgzmz6t68TodubAzNfexsL6em
>>
>> The password will now be interpreted as clear text. The user would have
>> to know the hash for his password and the random 'foobar' part, to log
>> in. To re-enable the password, I simply remove everything before '{SSHA}'.
> 
> No doubt: With IT everything is possible - everything...but if it makes sense
> is another question.

It gets the job done. I never said it was clean :P


> While this might work for you with custom code having ACLs for userPassword is
> the much cleaner approach without having to mess with password values and
> without having to any write custom code:

True, your way is more optimal and I may actually "steal" it.

As for custom code, I already need that to change the other attributes I
mentioned, plus some from a homebrew schema. So, at least for my
environment, it doesn't really matter.


Regards,
Christian Manal