[Freeipa-devel] User status

Wed Apr 9 13:17:48 UTC 2014

On 04/09/2014 03:15 PM, Massimiliano Perrone (tirasa.net) wrote:
> On 04/09/2014 02:40 PM, Martin Kosek wrote:
>> On 04/09/2014 02:37 PM, Massimiliano Perrone (tirasa.net) wrote:
>>> On 04/09/2014 02:01 PM, Martin Kosek wrote:
>>>> On 04/09/2014 01:30 PM, Massimiliano Perrone (tirasa.net) wrote:
>>>>> Hi guys,
>>>>> is there any way to check the user status on ldap server?
>>>>>
>>>>> Thanks and regards,
>>>>>
>>>>> Massi
>>>>>
>>>> Hello,
>>>>
>>>> It depends what you mean by status. We have a command to get a lock/auth
>>>> status
>>>> of a user with user-status command:
>>>>
>>>> # ipa user-status fbar
>>>> -----------------------
>>>> Account disabled: False
>>>> -----------------------
>>>>     Server: ipa.example.com
>>>>     Failed logins: 0
>>>>     Last successful authentication: 2014-04-09T12:00:39Z
>>>>     Last failed authentication: N/A
>>>>     Time now: 2014-04-09T12:00:42Z
>>>> ----------------------------
>>>> Number of entries returned 1
>>>> ----------------------------
>>>>
>>>> Martin
>>> Hi Martin,
>>> thanks for your quick reply and I'm sorry to have been unclear.
>>>
>>> For user status I mean only the value of "Account disabled" label pasted above.
>>> And if that value is also saved on as ldap server attribute.
>>>
>>> Massi
>>>
>> You can either see nsaccountlock attribute in user entry in LDAP or a return
>> value from FreeIPA API:
>>
>> # ipa user-disable fbar
>> ----------------------------
>> Disabled user account "fbar"
>> ----------------------------
>> # ipa user-show fbar
>> ...
>>    Account disabled: True
>> ...
>>
>> Martin
> 
> Perfect Martin.
> 
> From ldap point of view: a user is enabled when nsaccountlock is FALSE or is
> not present, whereas a user is disabled when nsaccountlock attribute is set to
> TRUE.
> 
> Thanks,
> Massi
> 

Exactly. Note that nsaccountlock is an LDAP operational attribute and you will
need to explicitly specify it in your LDAP search to retrieve it.

Martin