On Nov 27, 2013, at 9:23 PM, Viviano, Brad wrote:
So, I need a reliable way to lock an account that can handle both methods.
I haven't followed the thread closely, but if I understand you correctly: You want to disable/lock an account, without hiding it from ls etc?
As in, making sure the user can't authenticate?
If this is the case, do it the old standardized UNIX way: put an asterisk in front of the password.
Example: I'm using Kerberos V as 'password storage', hence my userPassword attribute looks like:
dn: uid=turbo,ou=People,o=FREQVIST,c=SE userPassword: {SASL}turbo@BAYOUR.COM
Simplest way to lock me out, would simply do a:
dn: uid=turbo,ou=People,o=FREQVIST,c=SE changetype: modify replace: userPassword userPassword: *{SASL}turbo@BAYOUR.COM
and send this to 'ldapmodify'...
This (should) work with any form of system you're using (pam, nss, sssd etc). It simply stops the authorization process, nothing else. -- Choose a job you love, and you will never have to work a day in your life.