Christian Manal wrote:
Am 21.11.2011 15:59, schrieb Michael Ströder:
Christian Manal wrote:
Am 21.11.2011 14:25, schrieb Jayavant Patil:
Hi,
I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know how to enable/disable a user account in openLDAP? I know ppolicy overlay but I don't require this password based locking.
we lock UNIX/Samba/Kerberos accounts in our system by "invalidating" the userPassword (i.E. putting some random string before the '{HASH}' part),
With this approach you cannot re-enable an account without going through a passwort reset process.
Yes you can. For example, I change userPassword for a user from
userPassword: {SSHA}srR7zMWHgzmz6t68TodubAzNfexsL6em
to
userPassword: foobar{SSHA}srR7zMWHgzmz6t68TodubAzNfexsL6em
The password will now be interpreted as clear text. The user would have to know the hash for his password and the random 'foobar' part, to log in. To re-enable the password, I simply remove everything before '{SSHA}'.
No doubt: With IT everything is possible - everything...but if it makes sense is another question.
While this might work for you with custom code having ACLs for userPassword is the much cleaner approach without having to mess with password values and without having to any write custom code:
In this example organizationalStatus=0 means active:
access to attrs=userPassword filter=(&(objectClass=inetOrgPerson)(!(organizationalStatus=0))) by group="cn=Admins,ou=Groups,ou=example" =wx by group="cn=Replicas,ou=Groups,ou=example" read by * none
access to attrs=userPassword filter=(&(objectClass=inetOrgPerson)(organizationalStatus=0)) by group="cn=Admins,ou=Groups,ou=example" =swx by group="cn=Replicas,ou=Groups,ou=example" read by self =wx by * =x
Ciao, Michael.