Am 21.11.2011 15:59, schrieb Michael Ströder:
Christian Manal wrote:
Am 21.11.2011 14:25, schrieb Jayavant Patil:
Hi,
I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know how to enable/disable a user account in openLDAP? I know ppolicy overlay but I don't require this password based locking.
we lock UNIX/Samba/Kerberos accounts in our system by "invalidating" the userPassword (i.E. putting some random string before the '{HASH}' part), settings the loginShell to '/bin/false' and putting the 'D' flag in sambaAcctFlags.
With this approach you cannot re-enable an account without going through a passwort reset process.
Yes you can. For example, I change userPassword for a user from
userPassword: {SSHA}srR7zMWHgzmz6t68TodubAzNfexsL6em
to
userPassword: foobar{SSHA}srR7zMWHgzmz6t68TodubAzNfexsL6em
The password will now be interpreted as clear text. The user would have to know the hash for his password and the random 'foobar' part, to log in. To re-enable the password, I simply remove everything before '{SSHA}'.
Regards, Christian Manal