Liam Gretton wrote:
On 16/04/2013 19:49, Jignesh Patel wrote:
Does openldap has a provision like active directory to disable a user?
useraccountcontrol 544
At our site I created a new attribute 'globalLock' for every account and filter on that at the service end. For example in /etc/ldap.conf for PAM:
pam_filter (globalLock=off)
Enabled users get globalLock set to 'off'. Any other value will lock the user out.
It's simple enough to use in Apache and other applications too.
The downside is that you have to configure it in each system. This is not always possible.
I usually have an ACL like this for active human user's passwords which 1. allows all users to login, 2. grants write-only access for admins and 3. grants write-only access for the user himself.
access to dn.onelevel="ou=People,dc=example,dc=com" attrs=userPassword filter=(&(objectClass=inetOrgPerson)(organizationalStatus=0)) by group="cn=Admins,ou=Groups,dc=example,dc=com" =wx by self =wx by * auth
Ciao, Michael.