On Nov 27, 2013, at 9:23 PM, Viviano, Brad wrote: > So, I need a reliable way to lock an account that can handle both methods.
I haven't followed the thread closely, but if I understand you correctly: You want to disable/lock an account, without hiding it from ls etc? As in, making sure the user can't authenticate? If this is the case, do it the old standardized UNIX way: put an asterisk in front of the password. Example: I'm using Kerberos V as 'password storage', hence my userPassword attribute looks like: dn: uid=turbo,ou=People,o=FREQVIST,c=SE userPassword: {SASL}tu...@bayour.com Simplest way to lock me out, would simply do a: dn: uid=turbo,ou=People,o=FREQVIST,c=SE changetype: modify replace: userPassword userPassword: *{SASL}tu...@bayour.com and send this to 'ldapmodify'... This (should) work with any form of system you're using (pam, nss, sssd etc). It simply stops the authorization process, nothing else. -- Choose a job you love, and you will never have to work a day in your life.