Martin Kosek wrote:
On Wed, 2011-06-08 at 17:55 -0700, Stephen Ingram wrote:
I've disabled an account in FreeIPA using the UI and I don't see any
changes in the directory. Are there supposed to be changes there or is
this something that is accomplished in Kerberos? I was hoping to be
able to search the directory for disabled accounts.


When an account is disabled, nsaccountlock attribute is set to True. I
would suggest a following LDAP search:

# ldapsearch -h localhost -Y GSSAPI -b cn=users,cn=accounts,$SUFFIX -s one 
SASL/GSSAPI authentication started
SASL username:
SASL data security layer installed.
# extended LDIF
# LDAPv3
# base<cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com>  with scope 
# filter: (objectclass=*)
# requesting: nsaccountlock

# admin, users, accounts,
dn: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
nsaccountlock: False

# fbar, users, accounts,
dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
nsaccountlock: True

User "fbar" was disabled via CLI.

To add to this, nsaccountlock is an LDAP operational attribute so you have to specifically ask for it for it to be displayed.


Freeipa-users mailing list

Reply via email to