Thanks everyone... Between what you guys said and some research i ended up
doing this

On Mon, May 12, 2014 at 4:31 PM, Michael ORourke <>wrote:

> I wrote a script to query IPA for accounts with passwords that are about
> to expire (so I can nag them with an email to reset their password), and I
> also added logic in my script to ignore accounts that are disabled.  So I
> needed a way to query my IPA server for this info.  I came up with 2
> solutions for checking if the account is disabled.
> 1. Do an LDAP query on the user and check for an attribute called
> "nsAccountLock".  If it is TRUE, then the account is disabled.  If it is
> FALSE or not defined, then the account is enabled.
> 2. On a box with the IPA CLI tools installed, run the following command,
> "ipa user-status username".  However, if you have several replicated IPA
> servers, you will see the status of the account on each IPA server along
> with the account status.
> I hope this helps.
> -Mike
> -----Original Message-----
> From: Chris Whittle
> Sent: May 12, 2014 10:31 AM
> To: freeipa-users
> Subject: [Freeipa-users] Bash script to see if user is enabled or
> disabled?
> I am working on my mac setups and am wanting to ping the server every so
> often and check to see if their user is enabled or disabled.  If Disabled
> then I will show them the login screen, log them out or something else..
> What I need is how to check to see if they are enabled or not through
> bash...  Anyone done sometime similar?
Freeipa-users mailing list

Reply via email to