21 Nov
2011
21 Nov
'11
6:59 a.m.
Christian Manal wrote:
Am 21.11.2011 14:25, schrieb Jayavant Patil:
Hi,
I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know how to enable/disable a user account in openLDAP? I know ppolicy overlay but I don't require this password based locking.
we lock UNIX/Samba/Kerberos accounts in our system by "invalidating" the userPassword (i.E. putting some random string before the '{HASH}' part), settings the loginShell to '/bin/false' and putting the 'D' flag in sambaAcctFlags.
With this approach you cannot re-enable an account without going through a passwort reset process. This might be ok in your deployment but it's not what temporay disabling a user is about.
I usually do this with ACLs for userPassword attribute.
Ciao, Michael.