Martin Kosek wrote:
On Wed, 2011-06-08 at 17:55 -0700, Stephen Ingram wrote:
I've disabled an account in FreeIPA using the UI and I don't see any
changes in the directory. Are there supposed to be changes there or is
this something that is accomplished in Kerberos? I was hoping to be
able to search the directory for disabled accounts.

Steve


When an account is disabled, nsaccountlock attribute is set to True. I
would suggest a following LDAP search:

# ldapsearch -h localhost -Y GSSAPI -b cn=users,cn=accounts,$SUFFIX -s one 
nsaccountlock
SASL/GSSAPI authentication started
SASL username: ad...@idm.lab.bos.redhat.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base<cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com>  with scope 
oneLevel
# filter: (objectclass=*)
# requesting: nsaccountlock
#

# admin, users, accounts, idm.lab.bos.redhat.com
dn: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
nsaccountlock: False

# fbar, users, accounts, idm.lab.bos.redhat.com
dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
nsaccountlock: True


User "fbar" was disabled via CLI.

To add to this, nsaccountlock is an LDAP operational attribute so you have to specifically ask for it for it to be displayed.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to