On Wed, 2011-06-08 at 17:55 -0700, Stephen Ingram wrote:
> I've disabled an account in FreeIPA using the UI and I don't see any
> changes in the directory. Are there supposed to be changes there or is
> this something that is accomplished in Kerberos? I was hoping to be
> able to search the directory for disabled accounts.
> 
> Steve
> 

When an account is disabled, nsaccountlock attribute is set to True. I
would suggest a following LDAP search:

# ldapsearch -h localhost -Y GSSAPI -b cn=users,cn=accounts,$SUFFIX -s one 
nsaccountlock
SASL/GSSAPI authentication started
SASL username: ad...@idm.lab.bos.redhat.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> with scope 
oneLevel
# filter: (objectclass=*)
# requesting: nsaccountlock 
#

# admin, users, accounts, idm.lab.bos.redhat.com
dn: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
nsaccountlock: False

# fbar, users, accounts, idm.lab.bos.redhat.com
dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
nsaccountlock: True


User "fbar" was disabled via CLI.

Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to