Chris Whittle wrote:
I am working on my mac setups and am wanting to ping the server every so
often and check to see if their user is enabled or disabled.  If
Disabled then I will show them the login screen, log them out or
something else..  What I need is how to check to see if they are enabled
or not through bash...  Anyone done sometime similar?

It depends on the tools you have. Probably the most common tool would be ldapsearch. It also depends on your configuration. I'm not very familiar with configuring macos, so here is my best shot.

Assuming you have a host keytab, you can do something like:

$ kinit host/ -kt /etc/krb5.keytab
$ ldapsearch -LLL -Y GSSAPI -b uid=someuser,cn=users,cn=accounts,dc=example,dc=com nsaccountlock

If the value of nsaccountlock is TRUE then the account is disabled. Note that this is an operational attribute so you need to request it specifically. The possible values are:
 - nothing, the attribute hasn't been set yet
 - FALSE, the user is enabled
 - TRUE, the user is disabled

You can replace -Y GSSAPI with -x to do an anonymous search.


Freeipa-users mailing list

Reply via email to