[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ppolicy and SSSD configuration question.

On Nov 27, 2013, at 9:23 PM, Viviano, Brad wrote:

> So, I need a reliable way to lock an account that can handle both methods.

I haven't followed the thread closely, but if I understand
you correctly: You want to disable/lock an account, without
hiding it from ls etc?

As in, making sure the user can't authenticate?

If this is the case, do it the old standardized UNIX way: put
an asterisk in front of the password.

Example: I'm using Kerberos V as 'password storage', hence my
userPassword attribute looks like:

	dn: uid=turbo,ou=People,o=FREQVIST,c=SE
	userPassword: {SASL}turbo@BAYOUR.COM

Simplest way to lock me out, would simply do a:

	dn: uid=turbo,ou=People,o=FREQVIST,c=SE
	changetype: modify
	replace: userPassword
	userPassword: *{SASL}turbo@BAYOUR.COM

and send this to 'ldapmodify'...

This (should) work with any form of system you're using
(pam, nss, sssd etc). It simply stops the authorization
process, nothing else.
Choose a job you love, and you will never have
to work a day in your life.