I have a FREEIPA LDAP server and a Mavericks Client. I have bound my Mac to my ldap and created a mobile account.
What I want is when someone is disabled it logs out the user or locks the screen.
Asked
Active
Viewed 617 times
2
-
I don't think there's any built-in way to do it. You'll need to write a script that polls your LDAP server to check if the user has been disabled, then performs the logout. Once they've been logged out, they should no longer be able to log in—so long as the LDAP server is reachable on their next attempt to log in. – Joe Carroll May 12 '14 at 07:10
1 Answers
1
Thanks Joe, your comment lead me to look at ldapsearch, I haven't created a cron job for it yet but that's my plan. With FreeIPA (Thanks Rob Crittenden!) it uses nsaccountlock to tell you if the user is disabled or not. It value will be FALSE or empty if they are enabled and TRUE if they are locked.
ldapsearch -LLL -h ldap.server.com -p 389 -x -b \
"uid=cwhittl,cn=users,cn=accounts,dc=domain,dc=com" \
nsaccountlock | grep '^nsaccountlock' | cut -d ' ' -f 2
or with simple auth
ldapsearch -LLL -h ldap.server.com -p 389 -x -D \
"uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com" \
-w 'N@ch0PassW0rd!' -b "uid=cwhittl,cn=users,cn=accounts,dc=domain,dc=com" \
nsaccountlock | grep '^nsaccountlock' | cut -d ' ' -f 2
Chris Whittle
- 141
- 6