[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enable/Disable user account in openLDAP

On Monday, 21 November 2011 16:17:33 Christian Manal wrote:
> Am 21.11.2011 14:25, schrieb Jayavant Patil:
> > Hi,
> > 
> >    I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know
> >    how
> > 
> > to enable/disable a user account in openLDAP?  I know ppolicy overlay but
> > I don't require this password based locking.
> > 
> >    Thanks in advance.
> Hi,
> we lock UNIX/Samba/Kerberos accounts in our system by "invalidating" the
> userPassword (i.E. putting some random string before the '{HASH}' part),
> settings the loginShell to '/bin/false' and putting the 'D' flag in
> sambaAcctFlags.
> Scrambling userPassword will prevent logins based on simple bind,
> changing the loginShell prevents PublicKey logins

No, it prevents starting a shell by ssh with public key, it doesn't prevent 
access which does not spawn a shell (such as ssh tunnel).

> and 'D' in
> sambaAcctFlags disables logins with Samba and Heimdal Kerberos.

But if you use anything else that uses Samba's password hashes (such as 
FreeRADIUS with mschap), that won't lock the user out.

IMHO, there is currently no convenient complete solution.