Does openldap has a provision like active directory to disable a user?
useraccountcontrol 544
-Jignesh
On 16/04/2013 19:49, Jignesh Patel wrote:
Does openldap has a provision like active directory to disable a user?
useraccountcontrol 544
At our site I created a new attribute 'globalLock' for every account and filter on that at the service end. For example in /etc/ldap.conf for PAM:
pam_filter (globalLock=off)
Enabled users get globalLock set to 'off'. Any other value will lock the user out.
It's simple enough to use in Apache and other applications too.
And at our site we use a disabled OU now.
We used to simply 'scramble' their passwords (only works if you don't have a forgot password functionality setup somewhere, which we don't.)
Many different ways to get the job done.
- chris
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Fri Apr 19 08:55:46 2013 Subject: Re: disabling user account
On 16/04/2013 19:49, Jignesh Patel wrote:
Does openldap has a provision like active directory to disable a user?
useraccountcontrol 544
At our site I created a new attribute 'globalLock' for every account and filter on that at the service end. For example in /etc/ldap.conf for PAM:
pam_filter (globalLock=off)
Enabled users get globalLock set to 'off'. Any other value will lock the user out.
It's simple enough to use in Apache and other applications too.
-- Liam Gretton liam.gretton@le.ac.uk Systems Specialist http://www.le.ac.uk/its IT Services Tel: +44 (0)116 2522254 University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
2013/4/16 Jignesh Patel jignesh@icare.com
Does openldap has a provision like active directory to disable a user?
useraccountcontrol 544
You can use ppolicy overlay and manually set pwdAccountLockedTime to lock the user account.
Clément.
Liam Gretton wrote:
On 16/04/2013 19:49, Jignesh Patel wrote:
Does openldap has a provision like active directory to disable a user?
useraccountcontrol 544
At our site I created a new attribute 'globalLock' for every account and filter on that at the service end. For example in /etc/ldap.conf for PAM:
pam_filter (globalLock=off)
Enabled users get globalLock set to 'off'. Any other value will lock the user out.
It's simple enough to use in Apache and other applications too.
Better to do this in a slapd ACL and enforce from the server side, than to rely on correctness of multiple clients.
access to attrs=userpassword filter=(globalLock=off) by anonymous auth
Liam Gretton wrote:
On 16/04/2013 19:49, Jignesh Patel wrote:
Does openldap has a provision like active directory to disable a user?
useraccountcontrol 544
At our site I created a new attribute 'globalLock' for every account and filter on that at the service end. For example in /etc/ldap.conf for PAM:
pam_filter (globalLock=off)
Enabled users get globalLock set to 'off'. Any other value will lock the user out.
It's simple enough to use in Apache and other applications too.
The downside is that you have to configure it in each system. This is not always possible.
I usually have an ACL like this for active human user's passwords which 1. allows all users to login, 2. grants write-only access for admins and 3. grants write-only access for the user himself.
access to dn.onelevel="ou=People,dc=example,dc=com" attrs=userPassword filter=(&(objectClass=inetOrgPerson)(organizationalStatus=0)) by group="cn=Admins,ou=Groups,dc=example,dc=com" =wx by self =wx by * auth
Ciao, Michael.
On 19/04/2013 17:20, Howard Chu wrote:
Better to do this in a slapd ACL and enforce from the server side, than to rely on correctness of multiple clients.
access to attrs=userpassword filter=(globalLock=off) by anonymous auth
We don't use LDAP for passwords, and that wouldn't prevent SSH key logins either.
Also we trust our client config just as much as our LDAP config.
Liam Gretton wrote:
On 19/04/2013 17:20, Howard Chu wrote:
Better to do this in a slapd ACL and enforce from the server side, than to rely on correctness of multiple clients.
access to attrs=userpassword filter=(globalLock=off) by anonymous auth
We don't use LDAP for passwords, and that wouldn't prevent SSH key logins either.
You could (or better should) easily extend this ACL-based approach to whole user entries. Use your imagination. Actually I'm doing this all the time.
Also we trust our client config just as much as our LDAP config.
I often have to deal with clients where I can't set a filter in client configuration at all. Usually some appliances are a nightmare to configure.
Ciao, Michael.
openldap-technical@openldap.org