On Tuesday 21 October 2008 15:39:25 Almir Karic wrote:
On Mon, Oct 20, 2008 at 4:37 PM, Bill Jorgensen
Bill.Jorgensen@eim-usa.com wrote:
I would need a little more information to help you. I have been working LDAP within AIX so I know that pretty well...
what i'd like to know is how to disable an account so you can't bind as disabled user, while if i change my mind you can still bind as that user (with the old password). any hints?
To achieve this (and not rely on shadowAccount etc.), you probably need to use the OopenLDAP ppolicy overlay, and lock the user out with the pwdAccountLockedTime attribute.
E.g.:
$ read -s -p 'LDAP Password: ' LDAPPASS LDAP Password: $ ldapwhoami -x -D uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -w $LDAPPASS dn:uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
Lock the user out: # TZ=Z date "+%Y%m%d%H%M%SZ" 20081021135537Z # ldapmodify SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com add: pwdAccountLockedTime pwdAccountLockedTime: 20081021135537Z
modifying entry "uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com"
Try and bind now: $ ldapwhoami -x -D uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -w $LDAPPASS ldap_bind: Invalid credentials (49)
Unlock the account: # ldapmodify SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com delete: pwdAccountLockedTime
modifying entry "uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com"
Bind again: $ ldapwhoami -e ppolicy -x -D uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -w $LDAPPASS dn:uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
The configuration required for this:
(if this is not your default policy)
$ ldapsearch -LLL -x "(uid=bgmilne)" pwdPolicySubEntry dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com pwdPolicySubentry: cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=co m
$ ldapsearch -LLL -x -s base -b 'cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=com' dn: cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=com cn: default objectClass: pwdPolicy objectClass: namedObject pwdAttribute: userPassword pwdLockout: TRUE pwdMustChange: TRUE pwdExpireWarning: 604800 pwdMaxFailure: 3 pwdGraceAuthNLimit: 5 pwdMinLength: 6 pwdMaxAge: 1800
# grep ppolicy /etc/openldap/slapd.conf include /usr/share/openldap/schema/ppolicy.schema moduleload ppolicy.la overlay ppolicy ppolicy_default "cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=com"
(overlay ppolicy and ppolicy_default need to be in the database section)
Regards, Buchan