How to disable an LDAP account?

accounts ldap openldap

Solution 1:

Heh.

Unix/Linux and a standardized way to do something. Funny lad you are. I know, I know, in many cases there are standard ways of doing things, but LDAP certainly is not one of them. LDAP rhymes with the Perl motto, "There's more than one way to do it".

The same convention than in the /etc/passwd (or, in /etc/shadow to be precise) will work. Undernearth your system is using the PAM (for authentication) and NSS libraries (for name lookup) for resolving the account information and for userland applications it's transparent if the result arrived from pam_ldap, pam_mysql, nss_files, nss_bdb, nss_mysql, nss_ldap or some other source as long as it's in the standard form.

So, when it comes to LDAP ...

  • Some like to write their own scripts utilizing ldapmodify
  • Others use graphical clients such as gq or Luma
  • Others use Perl and Net::LDAP or other scripting languages and their LDAP bindings
  • Others use PHPMyAdmin and similar web interfaces

What's your preferred way? If using the passwd command, then you just need to hook your system with pam_ldap and nss_ldap. Then all the familiar utilities will continue to work as usual.

Solution 2:

You might be interested in trying slapo-ppolicy (Password Policy overlay), as suggested here. That's indeed a sort of standard, though it might be a bit overkill for what you're trying to do. Specifically, the interesting attribute is 

pwdAccountLockedTime

   This attribute contains the time that the user's  account  was  locked.
   If  the  account has been locked, the password may no longer be used to
   authenticate the user to the directory.  If pwdAccountLockedTime is set
   to  000001010000Z,  the  user's account has been permanently locked and
   may only be unlocked by an administrator.

Solution 3:

There is no standard way but there are several ways to accomplish this, each being a configuration option in ldap.conf (or pam-ldap.conf depending on your distribution and their pam_ldap build-time settings):

pam_filter: Use a custom filter together with an attribute in LDAP that denotes an inactive account.

pam_check_host_attr: pam_ldap will check if there is a matching "host" attribute on the user object. If you implement it this way you could just remove/add the hostname to this attribute if the user should be able to login. This would not touch his password.

pam_check_service_attr: Haven’t used this yet but should work in a similar way as pam_check_host_attr.

Related

Find out how many DNS Queries/month via WHM or SSH?
Get list of user-agents from nginx log
Does Windows try to look for IPv6 AAAA records even when it does not have a routable IPv6 address?
VDI Comparison - VMWare View vs. XenDesktop vs. Sun VDI
Avoid TIME_WAIT connections [duplicate]
How do large companies handle software updates for users without administrative rights?
Red Hat server minimal install
SMTP message rate control on Ubuntu 8.04, preferably with postfix
Does tmux have all the features that screen has? And those screen is missing?
SSH passphrase remembered in MacOSX Snow Leopard
Ansible playbook to upload and execute a python script
Using 4k drives with md/LVM/dm-crypt