2008/10/23 Ralf Haferkamp <rhafer@suse.de>:
Am Mittwoch 22 Oktober 2008 20:39:01 schrieb Ciro Iriarte:
2008/10/22 Rui Santos <rsantos@ruisantos.com>:
Do you mean disable like "smbpasswd -d <user>" ?
-- Rui Santos http://www.ruisantos.com/
No, like disabling the ldap account.... For unix/linux authentication was enough to change the shell attribute to "nologin", but other services using LDAP (like web applications) wont even notice this attribute. The idea is to deny a "bind" to the directory... There are multiple ways to achieve that:
- if your OpenLDAP server is configured to use the password-policy overlay you could use the "pwdAccountLockedTime" Attribute to prevent users from logging in (see slapo-ppolicy manpage and OpenLDAP Administrators Guide for details). YaST has support for the password-policy overlay, BTW.
- You can replace the password hash in the userPassword Attribute with something that prevent the bind from succeeding. E.g. put a "!" in front of the hash (right after the closing `}`). IIRC YaST does something like this when the ppolicy overlay is not used.
- You could define some kind of "accountDisabled" Attribute yourself, and use that attribute to deny "auth" using ACLs with a filter rule.
-- regards, Ralf
Thanks!, options 1 and 3 seem to provide what i'm looking for, will check both of them before trying to build packages for FedoraDS or wrestling with OpenDS. Regards, Ciro -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org