Hello everyone, Can any one point me to how u can disable/enable an ldap user account.Thanks in advance.
regards, deepak.
Deepak:
I would need a little more information to help you. I have been working LDAP within AIX so I know that pretty well...
Best regards,
Bill
From: openldap-technical-bounces+bill.jorgensen=eim-usa.com@OpenLDAP.org [mailto:openldap-technical-bounces+bill.jorgensen=eim-usa.com@OpenLDAP.o rg] On Behalf Of RamakrishnaDeepak Battu Sent: Monday, October 20, 2008 5:46 AM To: openldap-technical@openldap.org Subject: How to disable or enable an ldap user account
Hello everyone, Can any one point me to how u can disable/enable an ldap user account.Thanks in advance.
regards, deepak.
I assume you mean disable authentication?
You could delete the passwd hash or replace it with something you would later recognize such as *LOCK*
Scott
On Oct 20, 2008, at 4:45 AM, RamakrishnaDeepak Battu <ramakrishnadeepak@gmail.com
wrote:
Hello everyone, Can any one point me to how u can disable/enable an ldap user account.Thanks in advance.
regards, deepak.
On Mon, Oct 20, 2008 at 4:37 PM, Bill Jorgensen Bill.Jorgensen@eim-usa.com wrote:
I would need a little more information to help you. I have been working LDAP within AIX so I know that pretty well...
what i'd like to know is how to disable an account so you can't bind as disabled user, while if i change my mind you can still bind as that user (with the old password). any hints?
Hello,
RamakrishnaDeepak Battu wrote:
Can any one point me to how u can disable/enable an ldap user account.Thanks in advance.
I use an attribute from the "shadowAccount" Object-Class:
To disable a user I add
shadowexpire: 0
To enable the user I remove that attribute.
Unixoid Systems with "shadow"-mechanisms honor that attribute and deny login with the message "Password expired". For other systems you have to be creative with either ACLs (remove the "auth" right for Entries with that attribute) or LDAP filters on the systems (if the System can't find the User, it won't allow him to log in).
bye Christian
On Tuesday 21 October 2008 15:39:25 Almir Karic wrote:
On Mon, Oct 20, 2008 at 4:37 PM, Bill Jorgensen
Bill.Jorgensen@eim-usa.com wrote:
I would need a little more information to help you. I have been working LDAP within AIX so I know that pretty well...
what i'd like to know is how to disable an account so you can't bind as disabled user, while if i change my mind you can still bind as that user (with the old password). any hints?
To achieve this (and not rely on shadowAccount etc.), you probably need to use the OopenLDAP ppolicy overlay, and lock the user out with the pwdAccountLockedTime attribute.
E.g.:
$ read -s -p 'LDAP Password: ' LDAPPASS LDAP Password: $ ldapwhoami -x -D uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -w $LDAPPASS dn:uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
Lock the user out: # TZ=Z date "+%Y%m%d%H%M%SZ" 20081021135537Z # ldapmodify SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com add: pwdAccountLockedTime pwdAccountLockedTime: 20081021135537Z
modifying entry "uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com"
Try and bind now: $ ldapwhoami -x -D uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -w $LDAPPASS ldap_bind: Invalid credentials (49)
Unlock the account: # ldapmodify SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com delete: pwdAccountLockedTime
modifying entry "uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com"
Bind again: $ ldapwhoami -e ppolicy -x -D uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -w $LDAPPASS dn:uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
The configuration required for this:
(if this is not your default policy)
$ ldapsearch -LLL -x "(uid=bgmilne)" pwdPolicySubEntry dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com pwdPolicySubentry: cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=co m
$ ldapsearch -LLL -x -s base -b 'cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=com' dn: cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=com cn: default objectClass: pwdPolicy objectClass: namedObject pwdAttribute: userPassword pwdLockout: TRUE pwdMustChange: TRUE pwdExpireWarning: 604800 pwdMaxFailure: 3 pwdGraceAuthNLimit: 5 pwdMinLength: 6 pwdMaxAge: 1800
# grep ppolicy /etc/openldap/slapd.conf include /usr/share/openldap/schema/ppolicy.schema moduleload ppolicy.la overlay ppolicy ppolicy_default "cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=com"
(overlay ppolicy and ppolicy_default need to be in the database section)
Regards, Buchan
Hello Deepak,
I also needed this functionality and implement with ACL:
======================================================================== # Acess by group Admins and Replicators access to dn.subtree="dc=previdencia,dc=gov,dc=br" by group.exact="cn=LDAP Admins,ou=Grupos,ou=Builtin,dc=previdencia,dc=gov,dc=br" write by group.exact="cn=LDAP Replicators,ou=Grupos,ou=Builtin,dc=previdencia,dc=gov,dc=br" read by * break
# Implementation of the concept of 'hidden' in Exchange 5.5 access to dn.subtree="dc=previdencia,dc=gov,dc=br" filter=(accountStatus=deleted) by * none ========================================================================
The first ACL is required to allow members of groups "LDAP Admins" and "LDAP Replicators" can work normally.
The second ACL is the implementation of the concept of "hidden" in Exchange 5.5, using the "accountStatus = deleted".
I hope I have helped him.
Hugs, Jarbas
2008/10/20 RamakrishnaDeepak Battu ramakrishnadeepak@gmail.com:
Hello everyone, Can any one point me to how u can disable/enable an ldap user account.Thanks in advance.
regards, deepak.
openldap-technical@openldap.org