How to disable an LDAP account?

Solution 1:

Heh.

Unix/Linux and a standardized way to do something. Funny lad you are. I know, I know, in many cases there are standard ways of doing things, but LDAP certainly is not one of them. LDAP rhymes with the Perl motto, "There's more than one way to do it".

The same convention than in the /etc/passwd (or, in /etc/shadow to be precise) will work. Undernearth your system is using the PAM (for authentication) and NSS libraries (for name lookup) for resolving the account information and for userland applications it's transparent if the result arrived from pam_ldap, pam_mysql, nss_files, nss_bdb, nss_mysql, nss_ldap or some other source as long as it's in the standard form.

So, when it comes to LDAP ...

  • Some like to write their own scripts utilizing ldapmodify
  • Others use graphical clients such as gq or Luma
  • Others use Perl and Net::LDAP or other scripting languages and their LDAP bindings
  • Others use PHPMyAdmin and similar web interfaces

What's your preferred way? If using the passwd command, then you just need to hook your system with pam_ldap and nss_ldap. Then all the familiar utilities will continue to work as usual.

Solution 2:

You might be interested in trying slapo-ppolicy (Password Policy overlay), as suggested here. That's indeed a sort of standard, though it might be a bit overkill for what you're trying to do. Specifically, the interesting attribute is

pwdAccountLockedTime

   This attribute contains the time that the user's  account  was  locked.
   If  the  account has been locked, the password may no longer be used to
   authenticate the user to the directory.  If pwdAccountLockedTime is set
   to  000001010000Z,  the  user's account has been permanently locked and
   may only be unlocked by an administrator.

Solution 3:

There is no standard way but there are several ways to accomplish this, each being a configuration option in ldap.conf (or pam-ldap.conf depending on your distribution and their pam_ldap build-time settings):

pam_filter: Use a custom filter together with an attribute in LDAP that denotes an inactive account.

pam_check_host_attr: pam_ldap will check if there is a matching "host" attribute on the user object. If you implement it this way you could just remove/add the hostname to this attribute if the user should be able to login. This would not touch his password.

pam_check_service_attr: Haven’t used this yet but should work in a similar way as pam_check_host_attr.