On Nov 27, 2013, at 9:23 PM, Viviano, Brad wrote:
> So, I need a reliable way to lock an account that can handle both methods.
I haven't followed the thread closely, but if I understand
you correctly: You want to disable/lock an account, without
hiding it from ls etc?
As in, making sure the user can't authenticate?
If this is the case, do it the old standardized UNIX way: put
an asterisk in front of the password.
Example: I'm using Kerberos V as 'password storage', hence my
userPassword attribute looks like:
dn: uid=turbo,ou=People,o=FREQVIST,c=SE
userPassword: {SASL}tu...@bayour.com
Simplest way to lock me out, would simply do a:
dn: uid=turbo,ou=People,o=FREQVIST,c=SE
changetype: modify
replace: userPassword
userPassword: *{SASL}tu...@bayour.com
and send this to 'ldapmodify'...
This (should) work with any form of system you're using
(pam, nss, sssd etc). It simply stops the authorization
process, nothing else.
--
Choose a job you love, and you will never have
to work a day in your life.
