On 27/11/2013 20:51, Michael Ströder wrote:
Viviano, Brad wrote:I can't foresee a time I would want a user to just disappear entirely from a system because their password is locked. I don't want locked users to be invisible, I want them to be locked so they can't login.Gee, can't you read about ACLs *before* responding like that. You don't have to make them invisible like I do. You can also just lock auth access to 'userPassword'.
Changing access to userPassword, whether by ACL or by modifying the attribute value itself, doesn't have any effect when the user has a SSH key because LDAP is not involved in authentication.
There's no clean way to deal with this in my opinion. In the past I've modified accounts' shell attribute to prevent logins at the point they're determined to be disabled, and put back when the account is deemed unlocked.
Modifying the shell is useless for non-Unix systems though (web applications for example).
Now I use a custom 'lock' attribute on all accounts and use a LDAP filter at the client end. This is fine for our purposes but could be a problem for appliances that don't provide much in the way of LDAP configuration options.
-- Liam Gretton liam.gretton@le.ac.uk HPC Architect http://www.le.ac.uk/its/ IT Services Tel: +44 (0)116 2522254 University Of Leicester, University Road Leicestershire LE1 7RH, United Kingdom