Am 22.11.2011 11:25, schrieb Buchan Milne:
On Monday, 21 November 2011 16:17:33 Christian Manal wrote:
Am 21.11.2011 14:25, schrieb Jayavant Patil:
Hi,
I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know how
to enable/disable a user account in openLDAP? I know ppolicy overlay but I don't require this password based locking.
Thanks in advance.
Hi,
we lock UNIX/Samba/Kerberos accounts in our system by "invalidating" the userPassword (i.E. putting some random string before the '{HASH}' part), settings the loginShell to '/bin/false' and putting the 'D' flag in sambaAcctFlags.
Scrambling userPassword will prevent logins based on simple bind, changing the loginShell prevents PublicKey logins
No, it prevents starting a shell by ssh with public key, it doesn't prevent access which does not spawn a shell (such as ssh tunnel).
I know it's not perfect, but it's good enough for us.
and 'D' in sambaAcctFlags disables logins with Samba and Heimdal Kerberos.
But if you use anything else that uses Samba's password hashes (such as FreeRADIUS with mschap), that won't lock the user out.
That's right. Luckily, we don't have anything like that. If it ever comes around, I can still modify my ACLs.
IMHO, there is currently no convenient complete solution.
Agreed.
Regards, Christian Manal