Lock user account in LDAP (without using ppolicy)
Change the password field to the following:
{CRYPT}!$6$rounds=1000000$xxx$yyy
Or the following:
{CRYPT}$6$rounds=1000000$xxx$!yyy
According to my tests, this makes password authentication impossible.
It does not, however, cover other ways of authentication, for example with an SSH key. In order to cover those, at least the shell should be set to /bin/false
. I strongly recommend to combine this with another measure. In the comments, it was suggested to disable ~/.ssh/authorized_keys
. A probably safer way is to change the primary group of the user to a group that is not allowed to SSH into the machine (the DenyGroups
or AllowGroups
feature of SSHD can be used for this).
If you don't need to retain the existing password hash, you can simply delete the userPassword field from the LDAP entry. Of course if you re-enable the account the user will need to set a new password.