Thread: [Lam-public] Managing account locking and password expiration in plain LDAP schema...
Brought to you by:
gruberroland
From: Marco G. <ga...@li...> - 2023-05-18 21:10:15
|
I'm a bit (ab)used of OpenLDAP, but with the samba schema added (and using winbind), and now on Samba/AD mode and their internal LDAP server. For both there's some way to lock the account, or to set account expiration, and they are enforced (by winbind). Now i have to manage a 'plain' LDAP server with only posixAccount schema, and i've some trouble; for example: 1) i can lock account on LAM, but a 'passwd -l <user>' does not work; also, there's no way to have an LDAP query that return the locked (or unlocked) account. 2) i can setup 'shadowAccount' schema, but get used only by 'shadow enabled' things, like nslcd; if i simply bind to LDAP (eg, via PHP for example), there's no shadow enforcing. There's some hint for these? Thanks. -- Fino a quando il colore della pelle sarà più importante del colore degli occhi, sarà sempre guerra. (Bob Marley) |
From: Roland G. <po...@ro...> - 2023-05-19 05:48:35
|
Hi Marco, "passwd -l" should work when you configure "rootbinddn" in /etc/libnss-ldap.conf (you will also need to set the password in /etc/libnss-ldap.secret). There is no LDAP query for locked users possible as the attribute is not configured for substring matching. This is a technical limitation of the server. But you can use the account status inside LAM which is filterable: https://www.ldap-account-manager.org/static/doc/manual/ch04s02.html Shadow is only checked by the Unix system. If you want something to be enforced globally then go for PPolicy (needs to be activated on server): https://www.ldap-account-manager.org/static/doc/manual/ch04s02.html#mod_passwordPolicy Best regards Roland Am 18.05.23 um 23:05 schrieb Marco Gaiarin: > > I'm a bit (ab)used of OpenLDAP, but with the samba schema added (and using > winbind), and now on Samba/AD mode and their internal LDAP server. > > > For both there's some way to lock the account, or to set account expiration, > and they are enforced (by winbind). > > > Now i have to manage a 'plain' LDAP server with only posixAccount schema, > and i've some trouble; for example: > > 1) i can lock account on LAM, but a 'passwd -l <user>' does not work; also, > there's no way to have an LDAP query that return the locked (or unlocked) > account. > > 2) i can setup 'shadowAccount' schema, but get used only by 'shadow enabled' > things, like nslcd; if i simply bind to LDAP (eg, via PHP for example), > there's no shadow enforcing. > > > There's some hint for these? Thanks. > |
From: Marco G. <ga...@li...> - 2023-05-21 21:40:19
|
Mandi! Roland Gruber In chel di` si favelave... > "passwd -l" should work when you configure "rootbinddn" in > /etc/libnss-ldap.conf (you will also need to set the password in > /etc/libnss-ldap.secret). Ah, oh... never minded about that... > But you can use the account status inside LAM which is filterable: > https://www.ldap-account-manager.org/static/doc/manual/ch04s02.html Two minutes after posting, i've found exactly that. Thanks! > Shadow is only checked by the Unix system. If you want something to be > enforced globally then go for PPolicy (needs to be activated on server): > https://www.ldap-account-manager.org/static/doc/manual/ch04s02.html#mod_passwordPolicy If i've understood well, this is an alternative to shadow, right? EG, PPolicy does not use shadow* fileds... Thanks. -- tutti chiusi in tante celle fanno a chi parla piu' forte per non dir che stelle e morte fan paura (F. Guccini) |
From: Roland G. <po...@ro...> - 2023-05-22 05:40:45
|
Hi Marco, Am 21.05.23 um 23:33 schrieb Marco Gaiarin: >> Shadow is only checked by the Unix system. If you want something to be >> enforced globally then go for PPolicy (needs to be activated on server): >> https://www.ldap-account-manager.org/static/doc/manual/ch04s02.html#mod_passwordPolicy > > If i've understood well, this is an alternative to shadow, right? EG, > PPolicy does not use shadow* fileds... PPolicy is checked server-side. This is why all applications are affected when the user is e.g. locked. On the other side, Shadow is purely checked client-side (Unix login). Best regards Roland |
From: Marco G. <ga...@li...> - 2023-05-30 13:10:12
|
Mandi! Roland Gruber In chel di` si favelave... > PPolicy is checked server-side. This is why all applications are > affected when the user is e.g. locked. > On the other side, Shadow is purely checked client-side (Unix login). Perfectly clear. Thanks. -- Voi avevate voci potenti, lingue allenate a battere il tamburo voi avevate voci potenti, adatte per il vaffanculo (F. De Andre`) |