On 04/15/2016 04:06 PM, Harald Dunkel wrote: > Hi David, > > On 04/15/16 15:11, David Kupka wrote: >> >> Hello Harri, >> >> the attribute you're looking for is 'nsaccountlock'. This command should >> give you uids of all disabled users: >> >> $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test >> "(nsaccountlock=TRUE)" uid >> > > Thats exactly what I was looking for. For the record: Searching for > "nsaccountlock=FALSE" did not work. I had to use > > ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test > '(!(nsaccountlock=TRUE))' uid > > instead.
Right, this is because nsaccountlock is not with a user by default, it will be there after the first time the user is administratively disabled and then enabled. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project