Hello, My apologies if this is in the wrong place. I am getting ready to migrate from NIS to LDAP in our HPC clusters. I need to know how to disable a user account, that is not to delete it, but to temporarily disable it. My current GUI to access LDAP is Apache Directory Studio. I also have the standard command line commands, ldapmodify , etc. So I have been looking around in various places. I saw some videos on YouTube for adding users with Apache. I can do most of the tasks listed for Apache Directory Studio. However, I have not used command line other than to add, delete or modify users and searches, oh and create some lidf files. My past experiences with LDAP and IDM products are based around UNIX based systems and applications "Sun™ Java System Directory Server 5.x and 6.x" and "Sun™ Identity Manager". I have also used Active Directory on the Microsoft side. So I have a better than average understanding of things, I just need to know this specific task.
So if it is possible in OpenLDAP, to disable and enable users can anyone point me to a document or a YouTube Video or any information.
Thank you so much for your assistance, in advance.
Sincerely
Bill Branson Server Engineer II | Research Computing Center Medical College of Wisconsin 414-955-2475 | wbranson@mcw.edu
--On Wednesday, August 19, 2020 8:50 PM +0000 wbranson@mcw.edu wrote:
things, I just need to know this specific task. So if it is possible in OpenLDAP, to disable and enable users can anyone point me to a document or a YouTube Video or any information.
We would need to know how your OpenLDAP instance is configured. For example, if you are using the password policy overlay along with a specific password policy that allows for disabling accounts. If you're not doing that, then you likely have to implement something that allows this to be done. For example, a custom attribute that tracks the account status, and then an ACL that blocks access to the userPassword attribute if an account has been disabled.
I.e., the information you have provided so far doesn't enable us to provide you the information necessary.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Le 19/08/2020 à 21:55, Quanah Gibson-Mount a écrit :
--On Wednesday, August 19, 2020 8:50 PM +0000 wbranson@mcw.edu wrote:
things, I just need to know this specific task. So if it is possible in OpenLDAP, to disable and enable users can anyone point me to a document or a YouTube Video or any information.
We would need to know how your OpenLDAP instance is configured. For example, if you are using the password policy overlay along with a specific password policy that allows for disabling accounts. If you're not doing that, then you likely have to implement something that allows this to be done. For example, a custom attribute that tracks the account status, and then an ACL that blocks access to the userPassword attribute if an account has been disabled.
I.e., the information you have provided so far doesn't enable us to provide you the information necessary.
If you use the ppolicy overlay, you can use LTB Service Desk, a Web GUI. See https://service-desk.readthedocs.io
On 8/19/20 9:50 PM, wbranson@mcw.edu wrote:
I am getting ready to migrate from NIS to LDAP in our HPC clusters.
BTW: Are you using netgroups?
I need to know how to disable a user account, that is not to delete it, but to temporarily disable it.
Define an ACL which grants auth access to userPassword attribute based on the value of a (custom) status attribute.
For example in Æ-DIR (based on OpenLDAP) I have an attribute aeStatus:
https://www.ae-dir.com/docs.html#schema-oc-aeObject
And this ACL:
https://gitlab.com/ae-dir/ansible-ae-dir-server/-/blob/master/templates/slap...
Of course with ACLs you can also make inactive entries invisible for apps / systems consuming LDAP entries like this:
https://gitlab.com/ae-dir/ansible-ae-dir-server/-/blob/master/templates/slap...
And yes, Æ-DIR is especially made for NSS/PAM for Linux logins and provides some more things you have to build.
Ciao, Michael.
openldap-technical@openldap.org