How do I determine if an Apple Open Directory user is disabled via LDAP?

I have an Open Directory user that has the "Access Account" box unchecked in Workgroup Manager so they cannot login. Is there a way to determine this using an LDAP query?

It would also be good to be able to check their Login Shell setting for /bin/false via LDAP, as some administrators use that to disable logins.


Solution 1:

Whether an account is disabled isn't stored in the LDAP database, so you can't get at it with any LDAP query; it's in the password server database, so you need to query the password server. To do this, you first need to get the account's password slot ID, which will be in one of the authAuthority attributes in LDAP, something like this:

authAuthority: ;ApplePasswordServer;0x4ae508585b4ac9840000000500000005,1024 35 
 1484429831226030758363098280788558407709702186716704057921377682138163682495133
 1971257473356121601282837516549920614867084718242948054970731529476886852497051
 1771493871066923475105955010041662310891335912128945258881795910315183596873989
 2049755102190782235854169470422244680045551515607049216054651273928793669 
 [email protected]:10.0.0.5

In this example, "0x4ae508585b4ac9840000000500000005" is the user's pasword slot ID. Once you have that, you can connect to the password server and check the user's password policies:

$ telnet 10.0.0.5 3659
Trying 10.0.0.5...
Connected to myserver.example.com.
Escape character is '^]'.
+OK ApplePasswordServer 10.6.0.0 password server at 10.1.0.1 ready.
getpolicy 0x4ae508585b4ac9840000000500000005
+OK isDisabled=1 isAdminUser=0 newPasswordRequired=0 usingHistory=0
canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0
requiresAlpha=0 requiresNumeric=0 expirationDateGMT=44451553867008
hardExpireDateGMT=44451553900288 maxMinutesUntilChangePassword=0
maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0
minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0
requiresSymbol=0 notGuessablePattern=0 isSessionKeyAgent=0 isComputerAccount=0
adminClass=0 adminNoChangePasswords=0 adminNoSetPolicies=0 adminNoCreate=0
adminNoDelete=0 adminNoClearState=0 adminNoPromoteAdmins=0
quit
+OK password server signing off.
Connection closed by foreign host.

Note the "isDisabled=1" policy in that list, indicating that this user is currently disabled.

Solution 2:

To find the Login Shell value user:

Search filter of (loginShell=/bin/false) (Though you might need quotes around it since it has slashes in it.

Bind with an LDAP browser like ApacheDS or LBE and look at a user who can and one who cannot login, and look for obvious attributes.

While someone may just know the answer, this way teaches you to fish, instead of handing you a fish. Or else it just stinks like a rotten fish. Your mileage may vary.