[opensuse] Disabling accounts in OpenLDAP
Hi, do anyone know if it's possible now (wasn't before) to disable (disable!= touch password field) an account in OpenLDAP?, maybe someone tried it on OpenSUSE 11.0 or 11.1 betas? Regards, Ciro -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, Oct 22, 2008 at 3:41 PM, Ciro Iriarte <cyruspy@gmail.com> wrote:
Hi, do anyone know if it's possible now (wasn't before) to disable (disable!= touch password field) an account in OpenLDAP?, maybe someone tried it on OpenSUSE 11.0 or 11.1 betas?
Regards, Ciro
I know nothing about ldap, but maybe this could help http://www.tools4ever.com/products/user-management-resource-administrator/do... -- Kind Regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
2008/10/22 Gabriel <gabriel@opensuse.org>:
On Wed, Oct 22, 2008 at 3:41 PM, Ciro Iriarte <cyruspy@gmail.com> wrote:
Hi, do anyone know if it's possible now (wasn't before) to disable (disable!= touch password field) an account in OpenLDAP?, maybe someone tried it on OpenSUSE 11.0 or 11.1 betas?
Regards, Ciro
I know nothing about ldap, but maybe this could help http://www.tools4ever.com/products/user-management-resource-administrator/do...
-- Kind Regards --
That's for Windows AD. Regards, Ciro -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ciro Iriarte wrote:
Hi, do anyone know if it's possible now (wasn't before) to disable (disable!= touch password field) an account in OpenLDAP?, maybe someone tried it on OpenSUSE 11.0 or 11.1 betas?
Do you mean disable like "smbpasswd -d <user>" ?
Regards, Ciro
-- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
2008/10/22 Rui Santos <rsantos@ruisantos.com>:
Do you mean disable like "smbpasswd -d <user>" ?
-- Rui Santos http://www.ruisantos.com/
No, like disabling the ldap account.... For unix/linux authentication was enough to change the shell attribute to "nologin", but other services using LDAP (like web applications) wont even notice this attribute. The idea is to deny a "bind" to the directory... Regards, Ciro -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ciro Iriarte wrote:
2008/10/22 Rui Santos <rsantos@ruisantos.com>:
Do you mean disable like "smbpasswd -d <user>" ?
-- Rui Santos http://www.ruisantos.com/
No, like disabling the ldap account.... For unix/linux authentication was enough to change the shell attribute to "nologin", but other services using LDAP (like web applications) wont even notice this attribute. The idea is to deny a "bind" to the directory...
Thats a nice question... Check if the "Disable login user" ( don't know what it does ) option does what you want...
Regards, Ciro
-- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
2008/10/22 Rui Santos <rsantos@ruisantos.com>:
Ciro Iriarte wrote:
2008/10/22 Rui Santos <rsantos@ruisantos.com>:
Do you mean disable like "smbpasswd -d <user>" ?
-- Rui Santos http://www.ruisantos.com/
No, like disabling the ldap account.... For unix/linux authentication was enough to change the shell attribute to "nologin", but other services using LDAP (like web applications) wont even notice this attribute. The idea is to deny a "bind" to the directory...
Thats a nice question... Check if the "Disable login user" ( don't know what it does ) option does what you want...
Regards, Ciro
-- Rui Santos http://www.ruisantos.com/
Veni, vidi, Linux!
-- Hmmm, where?, i'm talking about plain LDAP attributes...
Regards, Ciro -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ciro Iriarte wrote:
2008/10/22 Rui Santos <rsantos@ruisantos.com>:
Ciro Iriarte wrote:
2008/10/22 Rui Santos <rsantos@ruisantos.com>:
Do you mean disable like "smbpasswd -d <user>" ?
-- Rui Santos http://www.ruisantos.com/
No, like disabling the ldap account.... For unix/linux authentication was enough to change the shell attribute to "nologin", but other services using LDAP (like web applications) wont even notice this attribute. The idea is to deny a "bind" to the directory...
Thats a nice question... Check if the "Disable login user" ( don't know what it does ) option does what you want...
Regards, Ciro
-- Rui Santos http://www.ruisantos.com/
Veni, vidi, Linux!
--
Hmmm, where?, i'm talking about plain LDAP attributes...
On the YaST user management you have that option. I do not know what it does. I'm just alerting you to it, so you can check if it does what you want...
Regards, Ciro
-- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
2008/10/23 Rui Santos <rsantos@ruisantos.com>:
On the YaST user management you have that option. I do not know what it does. I'm just alerting you to it, so you can check if it does what you want...
Thanks. Ciro -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Mittwoch 22 Oktober 2008 20:39:01 schrieb Ciro Iriarte:
2008/10/22 Rui Santos <rsantos@ruisantos.com>:
Do you mean disable like "smbpasswd -d <user>" ?
-- Rui Santos http://www.ruisantos.com/
No, like disabling the ldap account.... For unix/linux authentication was enough to change the shell attribute to "nologin", but other services using LDAP (like web applications) wont even notice this attribute. The idea is to deny a "bind" to the directory... There are multiple ways to achieve that:
- if your OpenLDAP server is configured to use the password-policy overlay you could use the "pwdAccountLockedTime" Attribute to prevent users from logging in (see slapo-ppolicy manpage and OpenLDAP Administrators Guide for details). YaST has support for the password-policy overlay, BTW. - You can replace the password hash in the userPassword Attribute with something that prevent the bind from succeeding. E.g. put a "!" in front of the hash (right after the closing `}`). IIRC YaST does something like this when the ppolicy overlay is not used. - You could define some kind of "accountDisabled" Attribute yourself, and use that attribute to deny "auth" using ACLs with a filter rule. -- regards, Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
2008/10/23 Ralf Haferkamp <rhafer@suse.de>:
Am Mittwoch 22 Oktober 2008 20:39:01 schrieb Ciro Iriarte:
2008/10/22 Rui Santos <rsantos@ruisantos.com>:
Do you mean disable like "smbpasswd -d <user>" ?
-- Rui Santos http://www.ruisantos.com/
No, like disabling the ldap account.... For unix/linux authentication was enough to change the shell attribute to "nologin", but other services using LDAP (like web applications) wont even notice this attribute. The idea is to deny a "bind" to the directory... There are multiple ways to achieve that:
- if your OpenLDAP server is configured to use the password-policy overlay you could use the "pwdAccountLockedTime" Attribute to prevent users from logging in (see slapo-ppolicy manpage and OpenLDAP Administrators Guide for details). YaST has support for the password-policy overlay, BTW.
- You can replace the password hash in the userPassword Attribute with something that prevent the bind from succeeding. E.g. put a "!" in front of the hash (right after the closing `}`). IIRC YaST does something like this when the ppolicy overlay is not used.
- You could define some kind of "accountDisabled" Attribute yourself, and use that attribute to deny "auth" using ACLs with a filter rule.
-- regards, Ralf
Thanks!, options 1 and 3 seem to provide what i'm looking for, will check both of them before trying to build packages for FedoraDS or wrestling with OpenDS. Regards, Ciro -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Ciro Iriarte -
Gabriel -
Ralf Haferkamp -
Rui Santos