Liam Gretton wrote: > On 16/04/2013 19:49, Jignesh Patel wrote: >> Does openldap has a provision like active directory to disable a user? >> >> useraccountcontrol 544 > > At our site I created a new attribute 'globalLock' for every account and > filter on that at the service end. For example in /etc/ldap.conf for PAM: > > pam_filter (globalLock=off) > > Enabled users get globalLock set to 'off'. Any other value will lock the user > out. > > It's simple enough to use in Apache and other applications too.
The downside is that you have to configure it in each system.
This is not always possible.
I usually have an ACL like this for active human user's passwords which
1. allows all users to login,
2. grants write-only access for admins and
3. grants write-only access for the user himself.
access to
dn.onelevel="ou=People,dc=example,dc=com"
attrs=userPassword
filter=(&(objectClass=inetOrgPerson)(organizationalStatus=0))
by group="cn=Admins,ou=Groups,dc=example,dc=com" =wx
by self =wx
by * auth
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
