Hi Marco,
"passwd -l" should work when you configure "rootbinddn" in
/etc/libnss-ldap.conf (you will also need to set the password in
/etc/libnss-ldap.secret).
There is no LDAP query for locked users possible as the attribute is not
configured for substring matching. This is a technical limitation of the
server.
But you can use the account status inside LAM which is filterable:
https://www.ldap-account-manager.org/static/doc/manual/ch04s02.html
Shadow is only checked by the Unix system. If you want something to be
enforced globally then go for PPolicy (needs to be activated on server):
https://www.ldap-account-manager.org/static/doc/manual/ch04s02.html#mod_passwordPolicy
Best regards
Roland
Am 18.05.23 um 23:05 schrieb Marco Gaiarin:
I'm a bit (ab)used of OpenLDAP, but with the samba schema added (and using
winbind), and now on Samba/AD mode and their internal LDAP server.
For both there's some way to lock the account, or to set account expiration,
and they are enforced (by winbind).
Now i have to manage a 'plain' LDAP server with only posixAccount schema,
and i've some trouble; for example:
1) i can lock account on LAM, but a 'passwd -l <user>' does not work; also,
there's no way to have an LDAP query that return the locked (or unlocked)
account.
2) i can setup 'shadowAccount' schema, but get used only by 'shadow enabled'
things, like nslcd; if i simply bind to LDAP (eg, via PHP for example),
there's no shadow enforcing.
There's some hint for these? Thanks.
_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public