Re: [Freeipa-users] Bash script to see if user is enabled or disabled?

2014-05-13 Thread Chris Whittle 
Thanks everyone... Between what you guys said and some research i ended up
doing this
http://serverfault.com/questions/594443/how-can-i-force-a-mac-mobile-account-user-to-be-logged-out-or-locked-out-when-th/594773#594773


On Mon, May 12, 2014 at 4:31 PM, Michael ORourke mrorou...@earthlink.netwrote:

 I wrote a script to query IPA for accounts with passwords that are about
 to expire (so I can nag them with an email to reset their password), and I
 also added logic in my script to ignore accounts that are disabled.  So I
 needed a way to query my IPA server for this info.  I came up with 2
 solutions for checking if the account is disabled.
 1. Do an LDAP query on the user and check for an attribute called
 nsAccountLock.  If it is TRUE, then the account is disabled.  If it is
 FALSE or not defined, then the account is enabled.
 2. On a box with the IPA CLI tools installed, run the following command,
 ipa user-status username.  However, if you have several replicated IPA
 servers, you will see the status of the account on each IPA server along
 with the account status.

 I hope this helps.

 -Mike

 -Original Message-
 From: Chris Whittle
 Sent: May 12, 2014 10:31 AM
 To: freeipa-users
 Subject: [Freeipa-users] Bash script to see if user is enabled or
 disabled?

 I am working on my mac setups and am wanting to ping the server every so
 often and check to see if their user is enabled or disabled.  If Disabled
 then I will show them the login screen, log them out or something else..
 What I need is how to check to see if they are enabled or not through
 bash...  Anyone done sometime similar?


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Bash script to see if user is enabled or disabled?

2014-05-12 Thread Chris Whittle 
I am working on my mac setups and am wanting to ping the server every so often and check to see if their user is enabled or disabled. If Disabled then I will show them the login screen, log them out or something else.. What I need is how to check to see if they are enabled or not through bash... Anyone done sometime similar? 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Bash script to see if user is enabled or disabled?

2014-05-12 Thread Rob Crittenden 

Chris Whittle wrote:

I am working on my mac setups and am wanting to ping the server every so
often and check to see if their user is enabled or disabled.  If
Disabled then I will show them the login screen, log them out or
something else..  What I need is how to check to see if they are enabled
or not through bash...  Anyone done sometime similar?


It depends on the tools you have. Probably the most common tool would be 
ldapsearch. It also depends on your configuration. I'm not very familiar 
with configuring macos, so here is my best shot.


Assuming you have a host keytab, you can do something like:

$ kinit host/fqdn.example.com -kt /etc/krb5.keytab
$ ldapsearch -LLL -Y GSSAPI -b 
uid=someuser,cn=users,cn=accounts,dc=example,dc=com nsaccountlock


If the value of nsaccountlock is TRUE then the account is disabled. Note 
that this is an operational attribute so you need to request it 
specifically. The possible values are:

 - nothing, the attribute hasn't been set yet
 - FALSE, the user is enabled
 - TRUE, the user is disabled

You can replace -Y GSSAPI with -x to do an anonymous search.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Bash script to see if user is enabled or disabled?

2014-05-12 Thread Michael ORourke 
I wrote a script to query IPA for accounts with passwords that are about to expire (so I can nag them with an email to reset their password), and I also added logic in my script to ignore accounts that are disabled. So I needed a way to query my IPA server for this info. I came up with 2 solutions for checking if the account is disabled.1. Do an LDAP query on the user and check for an attribute called "nsAccountLock". If it is TRUE, then the account is disabled. If it is FALSE or not defined, then the account is enabled.2. On a box with the IPA CLI tools installed, run the following command, "ipa user-status username". However, if you have several replicated IPA servers, you will see the status of the account on each IPA server along with the account status.I hope this helps. -Mike-Original Message-
From: Chris Whittle 
Sent: May 12, 2014 10:31 AM
To: freeipa-users 
Subject: [Freeipa-users] Bash script to see if user is enabled or disabled?

I am working on my mac setups and am wanting to ping the server every so often and check to see if their user is enabled or disabled. If Disabled then I will show them the login screen, log them out or something else.. What I need is how to check to see if they are enabled or not through bash... Anyone done sometime similar? 



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users