I'm newbie to OpenLDAP. I have done a bit of research on the above topic and so far couldn't find a satisfactory answer. I would appreciate if anyone can show me how to enable/disable/remove a user account in OpenLDAP.
Asked
Active
Viewed 2.1k times
3 Answers
2
admin changing user's password is not a good idea. it has several side effects:
- it will cause a login failure.
- it's not easy to re-enable user
I like the solution to add a ACL of userPassword attribute, see the solution here: acl control userPassword it's clean and effective.
Feng Xi
- 1,005
- 2
- 11
- 30
0
- Disable: using the password-policy overlay, set
pwdAccountLockedTime. - Enable: clear or remove the above attribute.
- Remove: remove the entry for the user from the DIT.
user207421
- 305,947
- 44
- 307
- 483
-
I'm using openldap 2.4.31 on Ubuntu and i don't think the ppolicy schema comes with it .. Do i need to add them to slapd.conf? Is there a quick tutorial on setting this up? – yapkm01 Apr 14 '15 at 00:26
-
`ppolicy` is not a schema, it is an overlay, and it does indeed come with 2.4.31. You need to read *man slapo-policy.* – user207421 Apr 14 '15 at 22:07
-
Setting up for this ppolicy is not simple. Is there a simple quick tutorial on this? By the way my OpenLDAP is not using OLC. Can ppolicy works on slapd.conf, the old way? – yapkm01 Apr 17 '15 at 18:30
-
Not aware of a tutorial (zytrax.com is the place to look for OpenLDAP), but nothing there on policy Incould see) but it's covered in a book whose title I forget, anyway it's the most obvious OpenLDAP book. OpenLDAP overlays don't care which way you do your configuration. – user207421 Apr 19 '15 at 00:51
-
The book is Matt Butcher, *Mastering OpenLDAP.* – user207421 Apr 20 '15 at 01:25
0
The simplest way for an admin to disable an account is to change the password.
the account could be easily re-activated by giving the user the password and ask the user to change.
