Am 21.11.2011 18:21, schrieb Michael Ströder:
Christian Manal wrote:
Am 21.11.2011 15:59, schrieb Michael Ströder:
Christian Manal wrote:
Am 21.11.2011 14:25, schrieb Jayavant Patil:
Hi,
I am using openldap-2.4.19-4 on fedora 12 machine. Does anybody know how to enable/disable a user account in openLDAP? I know ppolicy overlay but I don't require this password based locking.
we lock UNIX/Samba/Kerberos accounts in our system by "invalidating" the userPassword (i.E. putting some random string before the '{HASH}' part),
With this approach you cannot re-enable an account without going through a passwort reset process.
Yes you can. For example, I change userPassword for a user from
userPassword: {SSHA}srR7zMWHgzmz6t68TodubAzNfexsL6em
to
userPassword: foobar{SSHA}srR7zMWHgzmz6t68TodubAzNfexsL6em
The password will now be interpreted as clear text. The user would have to know the hash for his password and the random 'foobar' part, to log in. To re-enable the password, I simply remove everything before '{SSHA}'.
No doubt: With IT everything is possible - everything...but if it makes sense is another question.
It gets the job done. I never said it was clean :P
While this might work for you with custom code having ACLs for userPassword is the much cleaner approach without having to mess with password values and without having to any write custom code:
True, your way is more optimal and I may actually "steal" it.
As for custom code, I already need that to change the other attributes I mentioned, plus some from a homebrew schema. So, at least for my environment, it doesn't really matter.
Regards, Christian Manal