[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ppolicy and SSSD configuration question.

To: "Viviano, Brad" <Viviano.Brad@epa.gov>
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
From: Turbo Fredriksson <turbo@bayour.com>
Date: Wed, 27 Nov 2013 22:07:57 +0100
In-reply-to: <69dadb36f2e644729388587ad575e2e9@BY2PR09MB046.namprd09.prod.outlook.com>
References: <41790c97c84a4967be486c2b3b1dab1b@BY2PR09MB046.namprd09.prod.outlook.com>, <529391F3.2060001@symas.com> <b15c91651fae43a6a57df9ce8beb8324@BY2PR09MB046.namprd09.prod.outlook.com>, <52939911.4060105@symas.com> <dfb27e079e834c09b918a31ce28dc7d1@BY2PR09MB046.namprd09.prod.outlook.com>, <5296031A.10708@stroeder.com> <a6d2ecb728c74f8ba0ccaead37e833d8@BY2PR09MB046.namprd09.prod.outlook.com>, <52962E8F.6070004@symas.com> <27909ab565294da18996ed6bb5c1a158@BY2PR09MB046.namprd09.prod.outlook.com>, <52964CE3.5040906@symas.com> <69dadb36f2e644729388587ad575e2e9@BY2PR09MB046.namprd09.prod.outlook.com>
Resent-date: Wed, 27 Nov 2013 22:09:49 +0100
Resent-from: Turbo Fredriksson <turbo@bayour.com>
Resent-message-id: <201311272110.rARLA4vj083990@boole.openldap.org>
Resent-to: openldap-technical@openldap.org

On Nov 27, 2013, at 9:23 PM, Viviano, Brad wrote:

> So, I need a reliable way to lock an account that can handle both methods.

I haven't followed the thread closely, but if I understand
you correctly: You want to disable/lock an account, without
hiding it from ls etc?

As in, making sure the user can't authenticate?


If this is the case, do it the old standardized UNIX way: put
an asterisk in front of the password.

Example: I'm using Kerberos V as 'password storage', hence my
userPassword attribute looks like:

	dn: uid=turbo,ou=People,o=FREQVIST,c=SE
	userPassword: {SASL}turbo@BAYOUR.COM

Simplest way to lock me out, would simply do a:

	dn: uid=turbo,ou=People,o=FREQVIST,c=SE
	changetype: modify
	replace: userPassword
	userPassword: *{SASL}turbo@BAYOUR.COM

and send this to 'ldapmodify'...


This (should) work with any form of system you're using
(pam, nss, sssd etc). It simply stops the authorization
process, nothing else.
--
Choose a job you love, and you will never have
to work a day in your life.

References:
- OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Howard Chu <hyc@symas.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Howard Chu <hyc@symas.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Michael Ströder <michael@stroeder.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Howard Chu <hyc@symas.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Howard Chu <hyc@symas.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>

Prev by Date: Re: OpenLDAP with ppolicy and SSSD configuration question.
Next by Date: Problem with self in acl in combination with rwm
Index(es):
- Chronological
- Thread