I wrote a script to query IPA for accounts with passwords that are about to expire (so I can nag them with an email to reset their password), and I also added logic in my script to ignore accounts that are disabled.  So I needed a way to query my IPA server for this info.  I came up with 2 solutions for checking if the account is disabled.
1. Do an LDAP query on the user and check for an attribute called "nsAccountLock".  If it is TRUE, then the account is disabled.  If it is FALSE or not defined, then the account is enabled.
2. On a box with the IPA CLI tools installed, run the following command, "ipa user-status username".  However, if you have several replicated IPA servers, you will see the status of the account on each IPA server along with the account status.

I hope this helps. 

-----Original Message-----
From: Chris Whittle
Sent: May 12, 2014 10:31 AM
To: freeipa-users
Subject: [Freeipa-users] Bash script to see if user is enabled or disabled?

I am working on my mac setups and am wanting to ping the server every so often and check to see if their user is enabled or disabled.  If Disabled then I will show them the login screen, log them out or something else..  What I need is how to check to see if they are enabled or not through bash...  Anyone done sometime similar?

Freeipa-users mailing list

Reply via email to