How do I determine if an Apple Open Directory user is disabled via LDAP?

ldap mac-osx-server opendirectory

I have an Open Directory user that has the "Access Account" box unchecked in Workgroup Manager so they cannot login. Is there a way to determine this using an LDAP query?

It would also be good to be able to check their Login Shell setting for /bin/false via LDAP, as some administrators use that to disable logins.


Solution 1:

Whether an account is disabled isn't stored in the LDAP database, so you can't get at it with any LDAP query; it's in the password server database, so you need to query the password server. To do this, you first need to get the account's password slot ID, which will be in one of the authAuthority attributes in LDAP, something like this:

authAuthority: ;ApplePasswordServer;0x4ae508585b4ac9840000000500000005,1024 35 
 1484429831226030758363098280788558407709702186716704057921377682138163682495133
 1971257473356121601282837516549920614867084718242948054970731529476886852497051
 1771493871066923475105955010041662310891335912128945258881795910315183596873989
 2049755102190782235854169470422244680045551515607049216054651273928793669 
 [email protected]:10.0.0.5

In this example, "0x4ae508585b4ac9840000000500000005" is the user's pasword slot ID. Once you have that, you can connect to the password server and check the user's password policies:

$ telnet 10.0.0.5 3659
Trying 10.0.0.5...
Connected to myserver.example.com.
Escape character is '^]'.
+OK ApplePasswordServer 10.6.0.0 password server at 10.1.0.1 ready.
getpolicy 0x4ae508585b4ac9840000000500000005
+OK isDisabled=1 isAdminUser=0 newPasswordRequired=0 usingHistory=0
canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0
requiresAlpha=0 requiresNumeric=0 expirationDateGMT=44451553867008
hardExpireDateGMT=44451553900288 maxMinutesUntilChangePassword=0
maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0
minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0
requiresSymbol=0 notGuessablePattern=0 isSessionKeyAgent=0 isComputerAccount=0
adminClass=0 adminNoChangePasswords=0 adminNoSetPolicies=0 adminNoCreate=0
adminNoDelete=0 adminNoClearState=0 adminNoPromoteAdmins=0
quit
+OK password server signing off.
Connection closed by foreign host.

Note the "isDisabled=1" policy in that list, indicating that this user is currently disabled.

Solution 2:

To find the Login Shell value user:

Search filter of (loginShell=/bin/false) (Though you might need quotes around it since it has slashes in it.

Bind with an LDAP browser like ApacheDS or LBE and look at a user who can and one who cannot login, and look for obvious attributes.

While someone may just know the answer, this way teaches you to fish, instead of handing you a fish. Or else it just stinks like a rotten fish. Your mileage may vary.

Related

How do you configure IIS to trust internal Certificate Authorities for server-to-server https requests
iptables: forwarding ssh ports
Port statistics on Cisco switch
Secure LDAP Authentication with Active Directory
Hyper V over VPN?
Num Lock goes off when entering a virtual Server2008 in VMWare Workstation 7.1.0 ? (on Win7 x64)
Cannot access client pc remotely due to time/date issue xp win2k3 environment -- REMOTE solution please
Execute Bash script on Ubuntu from remote Windows machine?
How does NAT keep track of connections
How to change the temporary upload directory nginx/passenger?
Different SVN Server versions and Clients
Explain to a Jr. SysAdmin what happens when a PC joins a Windows 2008 Domain