[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to disable or enable an ldap user account

To: openldap-technical@openldap.org
Subject: Re: How to disable or enable an ldap user account
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Tue, 21 Oct 2008 16:09:43 +0200
Cc: RamakrishnaDeepak Battu <ramakrishnadeepak@gmail.com>, Almir Karic <redduck666@gmail.com>, Bill Jorgensen <Bill.Jorgensen@eim-usa.com>
Content-disposition: inline
In-reply-to: <e5697b5d0810210639q22fc9082vb04a9562a8ea8e4c@mail.gmail.com>
References: <9b120ece0810200445t97e6fedyf661e89157b62ba2@mail.gmail.com> <1C07CB0CA943414BAE12C8ECBC533ADB022F862B@eim-corp07> <e5697b5d0810210639q22fc9082vb04a9562a8ea8e4c@mail.gmail.com>
User-agent: KMail/1.10.1 (Linux/2.6.27-desktop-0.rc8.2mnb; KDE/4.1.2; x86_64; ; )

On Tuesday 21 October 2008 15:39:25 Almir Karic wrote:
> On Mon, Oct 20, 2008 at 4:37 PM, Bill Jorgensen
>
> <Bill.Jorgensen@eim-usa.com> wrote:
> > I would need a little more information to help you. I have been working
> > LDAP within AIX so I know that pretty well...
>
> what i'd like to know is how to disable an account so you can't bind
> as disabled user, while if i change my mind you can still bind as that
> user (with the old password).  any hints?

To achieve this (and not rely on shadowAccount etc.), you probably need to use 
the OopenLDAP ppolicy overlay, and lock the user out with the 
pwdAccountLockedTime attribute.

E.g.:

$ read -s -p 'LDAP Password: ' LDAPPASS
LDAP Password: 
$ ldapwhoami -x -D uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -w 
$LDAPPASS
dn:uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com

Lock the user out:
# TZ=Z date "+%Y%m%d%H%M%SZ"
20081021135537Z
# ldapmodify
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
add: pwdAccountLockedTime
pwdAccountLockedTime: 20081021135537Z

modifying entry "uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com"

Try and bind now:
$ ldapwhoami -x -D uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -w 
$LDAPPASS
ldap_bind: Invalid credentials (49)


Unlock the account:
# ldapmodify
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
delete: pwdAccountLockedTime

modifying entry "uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com"

Bind again:
$ ldapwhoami -e ppolicy -x -D 
uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -w $LDAPPASS
dn:uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com


The configuration required for this:

(if this is not your default policy)

$ ldapsearch -LLL -x "(uid=bgmilne)" pwdPolicySubEntry
dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
pwdPolicySubentry: cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=co
 m

$ ldapsearch -LLL -x -s base -b 'cn=default,ou=Password 
Policies,dc=ranger,dc=dnsalias,dc=com'
dn: cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=com
cn: default
objectClass: pwdPolicy
objectClass: namedObject
pwdAttribute: userPassword
pwdLockout: TRUE
pwdMustChange: TRUE
pwdExpireWarning: 604800
pwdMaxFailure: 3
pwdGraceAuthNLimit: 5
pwdMinLength: 6
pwdMaxAge: 1800


# grep ppolicy /etc/openldap/slapd.conf
include /usr/share/openldap/schema/ppolicy.schema
moduleload      ppolicy.la
overlay ppolicy
ppolicy_default "cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=com"


(overlay ppolicy and ppolicy_default need to be in the database section)


Regards,
Buchan

References:
- How to disable or enable an ldap user account
  - From: "RamakrishnaDeepak Battu" <ramakrishnadeepak@gmail.com>
- RE: How to disable or enable an ldap user account
  - From: "Bill Jorgensen" <Bill.Jorgensen@eim-usa.com>
- Re: How to disable or enable an ldap user account
  - From: "Almir Karic" <redduck666@gmail.com>

Prev by Date: Re: How to disable or enable an ldap user account
Next by Date: Re: Issue while implementing Password Policy
Index(es):
- Chronological
- Thread