Lock user account in LDAP (without using ppolicy)

security ldap password-management

Change the password field to the following:

{CRYPT}!$6$rounds=1000000$xxx$yyy

Or the following:

{CRYPT}$6$rounds=1000000$xxx$!yyy

According to my tests, this makes password authentication impossible.

It does not, however, cover other ways of authentication, for example with an SSH key. In order to cover those, at least the shell should be set to /bin/false. I strongly recommend to combine this with another measure. In the comments, it was suggested to disable ~/.ssh/authorized_keys. A probably safer way is to change the primary group of the user to a group that is not allowed to SSH into the machine (the DenyGroups or AllowGroups feature of SSHD can be used for this).


If you don't need to retain the existing password hash, you can simply delete the userPassword field from the LDAP entry. Of course if you re-enable the account the user will need to set a new password.

Related

Active Directory Domain with SAMBA or Other Tool
Solaris/OpenSolaris resources
Windows Server 2012 Can't Print
Serving PHP from an Nginx Alias
How can I correlate a wall jack to a user/machine on the domain?
Problems with apache svn server (403 Forbidden)
IPMI goes offline after powering up machine
heartbeat: find out machine's status within a cluster?
export XenServer snapshot as file via console
Set device offset in Linux due to failed hardware RAID?
gitlab authentication using HTTP_REMOTE_USER environment variable
How to block PROPFIND (or any other method) on Apache