Hi, I want to disable an account without deleting informations about it. This account is linked with some services such as Owncloud, ftp authentification, samba, linux auth and ssh auth. Does it exists a way to disable the account for all the services? I know that I can disable the account for samba with sambaAcctFlags but I don't know an easy way for other services.
I thinked to create a new field called "AccountStatus" and filter on each service accounts which have AccountStatus=active like that
/(&(objectClass=inetOrgPerson)(AccountStatus=active))
/Is it a good way to do it or no?
Thanks
Julien Courtès
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Julien,
Place a exclamation mark (!) in front of the userPassword field. This disables the posixAccount usage.
Greetings,
Dennis
On 04/28/2014 02:56 PM, Julien Courtès wrote:
Hi, I want to disable an account without deleting informations about it. This account is linked with some services such as Owncloud, ftp authentification, samba, linux auth and ssh auth. Does it exists a way to disable the account for all the services? I know that I can disable the account for samba with sambaAcctFlags but I don't know an easy way for other services.
I thinked to create a new field called "AccountStatus" and filter on each service accounts which have AccountStatus=active like that
/(&(objectClass=inetOrgPerson)(AccountStatus=active))
/Is it a good way to do it or no?
Thanks
Julien Courtès
- -- ICT Medewerker Divisie Biomedische Genetica UMC Utrecht Heidelberglaan 100 STR2.126 3584 CX Utrecht The Netherlands 06 27744048 intern: 64048
------------------------------------------------------------------------------
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Het Universitair Medisch Centrum Utrecht is een publiekrechtelijke rechtspersoon in de zin van de W.H.W. (Wet Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat geregistreerd bij de Kamer van Koophandel voor Midden-Nederland onder nr. 30244197.
Denk s.v.p aan het milieu voor u deze e-mail afdrukt.
------------------------------------------------------------------------------
This message may contain confidential information and is intended exclusively for the addressee. If you receive this message unintentionally, please do not use the contents but notify the sender immediately by return e-mail. University Medical Center Utrecht is a legal person by public law and is registered at the Chamber of Commerce for Midden-Nederland under no. 30244197.
Please consider the environment before printing this e-mail.
Hallo all,
I am losing something important about ppolicy and (syncrepl) replication.
master openldap has a mdb database with the following overlays: # {0}ppolicy, {1}mdb, config dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=pre_default,ou=policies,dc=example,dc=org
# {1}syncprov, {1}mdb, config dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {1}syncprov olcSpCheckpoint: 20 10 olcSpSessionlog: 500
ppolicy works fine on master:
ldapwhoami -x -ZZ -h master.example.org -D uid=malvezzi,ou=people,dc=example,dc=org -w secret -e ppolicy ldap_bind: Invalid credentials (49); Password expired
entry is: sudo ldapsearch -H ldapi:/// -Y EXTERNAL 'uid=malvezzi' + SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
# malvezzi, people, example.org dn: uid=malvezzi,ou=people,dc=example,dc=org structuralObjectClass: inetOrgPerson entryUUID: 982dbc48-f125-1032-8ef6-db4e8deee77a creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20131204114727Z pwdHistory: 20140428131956Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}YC2cJflzdWc tkxDL2xBR+TDj/oRWzGAh pwdHistory: 20140428132623Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}vHW/cNKDwZT kM0pMFJ/venY9OhYR+T2c pwdPolicySubentry: cn=default30g,ou=policies,dc=example,dc=org pwdChangedTime: 20140311071845Z entryCSN: 20140428135251.204124Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140428135251Z subschemaSubentry: cn=Subschema hasSubordinates: FALSE
On the replica slave ppolicy look inactive: ldapwhoami -x -H ldapi:/// -D uid=malvezzi,ou=people,dc=example,dc=org -w secret -e ppolicy dn:uid=malvezzi,ou=people,dc=example,dc=org
entry on slave looks correct: ldapsearch -x -h slave.example.org -ZZ -D uid=malvezzi,ou=people,dc=example,dc=org -w secret -e ppolicy 'uid=malvezzi' +
dn: uid=malvezzi,ou=people,dc=example,dc=org structuralObjectClass: inetOrgPerson entryUUID: 982dbc48-f125-1032-8ef6-db4e8deee77a creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20131204114727Z pwdHistory: 20140428131956Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}YC2cJflzdWc tkxDL2xBR+TDj/oRWzGAh pwdHistory: 20140428132623Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}vHW/cNKDwZT kM0pMFJ/venY9OhYR+T2c pwdPolicySubentry: cn=default30g,ou=policies,dc=example,dc=org pwdChangedTime: 20140311071845Z entryCSN: 20140428135251.204124Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140428135251Z subschemaSubentry: cn=Subschema hasSubordinates: FALSE
(on slave): ldapsearch -H ldapi:/// -Y EXTERNAL cn=default30g
dn: cn=default30g,ou=policies,dc=example,dc=org cn: default30g pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdExpireWarning: 60000 pwdFailureCountInterval: 30 pwdInHistory: 2 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 2592000 pwdMaxFailure: 0 pwdMinAge: 0 pwdMustChange: TRUE pwdSafeModify: FALSE sn: scadenza password ogni 30 giorni pwdGraceAuthNLimit: 0 pwdMinLength: 8 objectClass: person objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: top pwdCheckQuality: 1 pwdCheckModule: check_password.so
ppolicy overlay is enabled on the replica database.
Should I enable ppolicy overlay on glue database as well?
If I type wrong password, master adds a pwdFailureTime line; slave does not.
What am I missing?
Thank you all,
Francesco
[...]
Should I enable ppolicy overlay on glue database as well?
Have the policies to be self-enclosed in the replica database (example follows)?
thank you,
Francesco
example: replica subtree: ou=people,dc=example,dc=org
non self-enclosed: entry: uid=malvezzi,ou=people,dc=example,dc=org [...] pwdPolicySubentry: cn=default30g,ou=policies,dc=example,dc=org
cn=default30g,ou=policies,dc=example,dc=org has to be created at hand on the slave server.
self-enclosed: uid=malvezzi,ou=people,dc=example,dc=org [...] pwdPolicySubentry: cn=default30g,ou=policies,ou=people,dc=example,dc=org
Of course cn=default30g,ou=policies,ou=people,dc=example,dc=org should exist and be replicated
Il 29/04/2014 08:35, Francesco Malvezzi ha scritto:
[...]
Should I enable ppolicy overlay on glue database as well?
no, it's not necessary
Have the policies to be self-enclosed in the replica database (example follows)?
yes: this solved my issue.
thank you,
Francesco
Julien Courtès wrote:
Hi, I want to disable an account without deleting informations about it. This account is linked with some services such as Owncloud, ftp authentification, samba, linux auth and ssh auth. Does it exists a way to disable the account for all the services? I know that I can disable the account for samba with sambaAcctFlags but I don't know an easy way for other services.
Use ACLs. At minimum define an appropriate filter-based ACL for 'userPassword'.
Ciao, Michael.
openldap-technical@openldap.org
-
Dennis Leeuw -
Francesco Malvezzi -
Julien Courtès -
Michael Ströder