How to disable an LDAP account?

ldap openldap accounts
28,399

Solution 1

You might be interested in trying slapo-ppolicy (Password Policy overlay), as suggested here. That's indeed a sort of standard, though it might be a bit overkill for what you're trying to do. Specifically, the interesting attribute is 

pwdAccountLockedTime

   This attribute contains the time that the user's  account  was  locked.
   If  the  account has been locked, the password may no longer be used to
   authenticate the user to the directory.  If pwdAccountLockedTime is set
   to  000001010000Z,  the  user's account has been permanently locked and
   may only be unlocked by an administrator.

Solution 2

Heh.

Unix/Linux and a standardized way to do something. Funny lad you are. I know, I know, in many cases there are standard ways of doing things, but LDAP certainly is not one of them. LDAP rhymes with the Perl motto, "There's more than one way to do it".

The same convention than in the /etc/passwd (or, in /etc/shadow to be precise) will work. Undernearth your system is using the PAM (for authentication) and NSS libraries (for name lookup) for resolving the account information and for userland applications it's transparent if the result arrived from pam_ldap, pam_mysql, nss_files, nss_bdb, nss_mysql, nss_ldap or some other source as long as it's in the standard form.

So, when it comes to LDAP ...

  • Some like to write their own scripts utilizing ldapmodify
  • Others use graphical clients such as gq or Luma
  • Others use Perl and Net::LDAP or other scripting languages and their LDAP bindings
  • Others use PHPMyAdmin and similar web interfaces

What's your preferred way? If using the passwd command, then you just need to hook your system with pam_ldap and nss_ldap. Then all the familiar utilities will continue to work as usual.

Solution 3

There is no standard way but there are several ways to accomplish this, each being a configuration option in ldap.conf (or pam-ldap.conf depending on your distribution and their pam_ldap build-time settings):

pam_filter: Use a custom filter together with an attribute in LDAP that denotes an inactive account.

pam_check_host_attr: pam_ldap will check if there is a matching "host" attribute on the user object. If you implement it this way you could just remove/add the hostname to this attribute if the user should be able to login. This would not touch his password.

pam_check_service_attr: Haven’t used this yet but should work in a similar way as pam_check_host_attr.

Share:
28,399

Related videos on Youtube

Raphaël Hertzog
Author by

Raphaël Hertzog

Updated on September 17, 2022

Comments

  • Raphaël Hertzog
    Raphaël Hertzog over 1 year

    The LDAP uses the posixAccount schema and related attributes and I wonder if there's a standardized way to disable an account. Re-enabling the account should obviously re-enable the former password.

    I know that passwd --lock adds an exclamation mark in front of the encrypted password in /etc/passwd. Does the same convention work with the userPasswd field of an LDAP entry?

    Update: I know PAM/NSS underneath, my question was specifically targetted at the LDAP server. Once the account is locked I want the user to not be able to open an authenticated connection to the LDAP server itself (with his own credentials). That's because several services use a successful authenticated connection to LDAP as simple authentication mechanism without using PAM for this task (this is common with web interfaces).

  • Fladi
    Fladi over 13 years
    How does this solve the problem of disabling particular accounts in LDAP so that PAM recognizes them as disabled?
  • Janne Pikkarainen
    Janne Pikkarainen over 13 years
    "The same convention than in the /etc/passwd (or, in /etc/shadow to be precise) will work." is the line that helps. If Raphaël already has a method for prefixing the old passwords with !, then I just answered his question. How does your comment help him? :-)
  • Raphaël Hertzog
    Raphaël Hertzog over 13 years
    Thanks but I was wondering if the LDAP server itself had a convention since it manages authentication for connection to itself without PAM...
  • Raphaël Hertzog
    Raphaël Hertzog over 13 years
    Thanks but I was wondering if the LDAP server itself had a convention since it manages authentication for connection to itself without PAM... see my update in the question. I'm writing code in PHP so I use the php_lpad binding to modify the LDAP.
  • Fladi
    Fladi over 13 years
    Regarding your update: If that's what you want, go with Janne Pikkarainen's advise about prefixing the userPassword attribute with a "!" this will render the user unable to do an authenticated bind to LDAP without discarding the password.
  • Lasse Kliemann
    Lasse Kliemann over 4 years
    Adding ! at the front does not work as expected and can be dangerous. Please see my post on this topic with a possible solution.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What are the other alternative to test a LDAP connection on linux machine
inetOrgPerson with member or memberOf?
Nested Group LDAP Search Filter
How to add rights to an user with olcAccess, in an OpenLDAP 2.4
I need to find out disabled users from ldap
Is there an LDAP standard group membership attribute for users?
Decrypting OpenLDAP passwords
LDAPSEARCH into table format
Python ldap3 LDAPSocketOpenError unable to send message, socket is not open
Using LDAPSEARCH to return all Groups and OU's in an Active Directory domain