[Freeipa-users] disable account behavior
Martin Kosek
mkosek at redhat.com
Thu Jun 9 08:58:42 UTC 2011
On Wed, 2011-06-08 at 17:55 -0700, Stephen Ingram wrote:
> I've disabled an account in FreeIPA using the UI and I don't see any
> changes in the directory. Are there supposed to be changes there or is
> this something that is accomplished in Kerberos? I was hoping to be
> able to search the directory for disabled accounts.
>
> Steve
>
When an account is disabled, nsaccountlock attribute is set to True. I
would suggest a following LDAP search:
# ldapsearch -h localhost -Y GSSAPI -b cn=users,cn=accounts,$SUFFIX -s one nsaccountlock
SASL/GSSAPI authentication started
SASL username: admin at IDM.LAB.BOS.REDHAT.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> with scope oneLevel
# filter: (objectclass=*)
# requesting: nsaccountlock
#
# admin, users, accounts, idm.lab.bos.redhat.com
dn: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
nsaccountlock: False
# fbar, users, accounts, idm.lab.bos.redhat.com
dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
nsaccountlock: True
User "fbar" was disabled via CLI.
Martin
More information about the Freeipa-users
mailing list