[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enable/Disable user account in openLDAP

Am 22.11.2011 11:25, schrieb Buchan Milne:
> On Monday, 21 November 2011 16:17:33 Christian Manal wrote:
>> Am 21.11.2011 14:25, schrieb Jayavant Patil:
>>> Hi,
>>>    I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know
>>>    how
>>> to enable/disable a user account in openLDAP?  I know ppolicy overlay but
>>> I don't require this password based locking.
>>>    Thanks in advance.
>> Hi,
>> we lock UNIX/Samba/Kerberos accounts in our system by "invalidating" the
>> userPassword (i.E. putting some random string before the '{HASH}' part),
>> settings the loginShell to '/bin/false' and putting the 'D' flag in
>> sambaAcctFlags.
>> Scrambling userPassword will prevent logins based on simple bind,
>> changing the loginShell prevents PublicKey logins
> No, it prevents starting a shell by ssh with public key, it doesn't prevent 
> access which does not spawn a shell (such as ssh tunnel).

I know it's not perfect, but it's good enough for us.

>> and 'D' in
>> sambaAcctFlags disables logins with Samba and Heimdal Kerberos.
> But if you use anything else that uses Samba's password hashes (such as 
> FreeRADIUS with mschap), that won't lock the user out.

That's right. Luckily, we don't have anything like that. If it ever
comes around, I can still modify my ACLs.

> IMHO, there is currently no convenient complete solution.


Christian Manal