On Nov 27, 2013, at 9:23 PM, Viviano, Brad wrote:
So, I need a reliable way to lock an account that can handle both
I haven't followed the thread closely, but if I understand
you correctly: You want to disable/lock an account, without
hiding it from ls etc?
As in, making sure the user can't authenticate?
If this is the case, do it the old standardized UNIX way: put
an asterisk in front of the password.
Example: I'm using Kerberos V as 'password storage', hence my
userPassword attribute looks like:
Simplest way to lock me out, would simply do a:
and send this to 'ldapmodify'...
This (should) work with any form of system you're using
(pam, nss, sssd etc). It simply stops the authorization
process, nothing else.
Choose a job you love, and you will never have
to work a day in your life.