Re: [Lam-public] Managing account locking and password expiration in plain LDAP schema...
Brought to you by:
gruberroland
From: Roland G. <po...@ro...> - 2023-05-19 05:48:35
|
Hi Marco, "passwd -l" should work when you configure "rootbinddn" in /etc/libnss-ldap.conf (you will also need to set the password in /etc/libnss-ldap.secret). There is no LDAP query for locked users possible as the attribute is not configured for substring matching. This is a technical limitation of the server. But you can use the account status inside LAM which is filterable: https://www.ldap-account-manager.org/static/doc/manual/ch04s02.html Shadow is only checked by the Unix system. If you want something to be enforced globally then go for PPolicy (needs to be activated on server): https://www.ldap-account-manager.org/static/doc/manual/ch04s02.html#mod_passwordPolicy Best regards Roland Am 18.05.23 um 23:05 schrieb Marco Gaiarin: > > I'm a bit (ab)used of OpenLDAP, but with the samba schema added (and using > winbind), and now on Samba/AD mode and their internal LDAP server. > > > For both there's some way to lock the account, or to set account expiration, > and they are enforced (by winbind). > > > Now i have to manage a 'plain' LDAP server with only posixAccount schema, > and i've some trouble; for example: > > 1) i can lock account on LAM, but a 'passwd -l <user>' does not work; also, > there's no way to have an LDAP query that return the locked (or unlocked) > account. > > 2) i can setup 'shadowAccount' schema, but get used only by 'shadow enabled' > things, like nslcd; if i simply bind to LDAP (eg, via PHP for example), > there's no shadow enforcing. > > > There's some hint for these? Thanks. > |