Re: [Freeipa-users] Bash script to see if user is enabled or disabled?
Thanks everyone... Between what you guys said and some research i ended up doing this http://serverfault.com/questions/594443/how-can-i-force-a-mac-mobile-account-user-to-be-logged-out-or-locked-out-when-th/594773#594773 On Mon, May 12, 2014 at 4:31 PM, Michael ORourke wrote: > I wrote a script to query IPA for accounts with passwords that are about > to expire (so I can nag them with an email to reset their password), and I > also added logic in my script to ignore accounts that are disabled. So I > needed a way to query my IPA server for this info. I came up with 2 > solutions for checking if the account is disabled. > 1. Do an LDAP query on the user and check for an attribute called > "nsAccountLock". If it is TRUE, then the account is disabled. If it is > FALSE or not defined, then the account is enabled. > 2. On a box with the IPA CLI tools installed, run the following command, > "ipa user-status username". However, if you have several replicated IPA > servers, you will see the status of the account on each IPA server along > with the account status. > > I hope this helps. > > -Mike > > -Original Message- > From: Chris Whittle > Sent: May 12, 2014 10:31 AM > To: freeipa-users > Subject: [Freeipa-users] Bash script to see if user is enabled or > disabled? > > I am working on my mac setups and am wanting to ping the server every so > often and check to see if their user is enabled or disabled. If Disabled > then I will show them the login screen, log them out or something else.. > What I need is how to check to see if they are enabled or not through > bash... Anyone done sometime similar? > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Bash script to see if user is enabled or disabled?
I wrote a script to query IPA for accounts with passwords that are about to expire (so I can nag them with an email to reset their password), and I also added logic in my script to ignore accounts that are disabled. So I needed a way to query my IPA server for this info. I came up with 2 solutions for checking if the account is disabled.1. Do an LDAP query on the user and check for an attribute called "nsAccountLock". If it is TRUE, then the account is disabled. If it is FALSE or not defined, then the account is enabled.2. On a box with the IPA CLI tools installed, run the following command, "ipa user-status username". However, if you have several replicated IPA servers, you will see the status of the account on each IPA server along with the account status.I hope this helps. -Mike-Original Message- From: Chris Whittle Sent: May 12, 2014 10:31 AM To: freeipa-users Subject: [Freeipa-users] Bash script to see if user is enabled or disabled? I am working on my mac setups and am wanting to ping the server every so often and check to see if their user is enabled or disabled. If Disabled then I will show them the login screen, log them out or something else.. What I need is how to check to see if they are enabled or not through bash... Anyone done sometime similar? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Bash script to see if user is enabled or disabled?
Chris Whittle wrote: I am working on my mac setups and am wanting to ping the server every so often and check to see if their user is enabled or disabled. If Disabled then I will show them the login screen, log them out or something else.. What I need is how to check to see if they are enabled or not through bash... Anyone done sometime similar? It depends on the tools you have. Probably the most common tool would be ldapsearch. It also depends on your configuration. I'm not very familiar with configuring macos, so here is my best shot. Assuming you have a host keytab, you can do something like: $ kinit host/fqdn.example.com -kt /etc/krb5.keytab $ ldapsearch -LLL -Y GSSAPI -b uid=someuser,cn=users,cn=accounts,dc=example,dc=com nsaccountlock If the value of nsaccountlock is TRUE then the account is disabled. Note that this is an operational attribute so you need to request it specifically. The possible values are: - nothing, the attribute hasn't been set yet - FALSE, the user is enabled - TRUE, the user is disabled You can replace -Y GSSAPI with -x to do an anonymous search. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users