<div dir="ltr"><div class="gmail_extra">hi Harald,<br></div><div class="gmail_extra"><div class="gmail_quote">On Fri, Apr 15, 2016 at 1:31 PM, Harald Dunkel <span dir="ltr"><<a href="mailto:harald.dunkel@aixigo.de" target="_blank">harald.dunkel@aixigo.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi folks,<br>
<br>
I have no luck with the ipa cli, so I wonder if it is<br>
possible to ldapsearch for disabled or enabled users?<br>
A command line like<br>
<br>
ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com uid=somebody<br>
<br>
doesn't show :-(.</blockquote></div><br></div><div class="gmail_extra">I just tested using the public <a href="http://demo1.freeipa.org">demo1.freeipa.org</a> instance and it works using the 'hidden' nsaccountlock attribute:<br><br>$ ldapsearch -LLL -Y GSSAPI -h <a href="http://ipa.demo1.freeipa.org">ipa.demo1.freeipa.org</a> -b cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org "(nsaccountlock=TRUE)" uid<br>SASL/GSSAPI authentication started<br>SASL username: <a href="mailto:helpdesk@DEMO1.FREEIPA.ORG">helpdesk@DEMO1.FREEIPA.ORG</a><br>SASL SSF: 56<br>SASL data security layer installed.<br>dn: uid=test,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org<br>uid: test<br><br>dn: uid=bladibla,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org<br>uid: bladibla<br><br></div><div class="gmail_extra">I found out about the nsaccountlock in <a href="https://www.mail-archive.com/search?l=freeipa-devel@redhat.com&q=subject:%22Re\%3A+\[Freeipa\-devel\]+User+status%22&o=newest&f=1">https://www.mail-archive.com/search?l=freeipa-devel@redhat.com&q=subject:%22Re\%3A+\[Freeipa\-devel\]+User+status%22&o=newest&f=1</a><br></div><div class="gmail_extra"><br></div></div>