[Freeipa-users] disable account behavior
Rob Crittenden
rcritten at redhat.com
Thu Jun 9 13:35:25 UTC 2011
Martin Kosek wrote:
> On Wed, 2011-06-08 at 17:55 -0700, Stephen Ingram wrote:
>> I've disabled an account in FreeIPA using the UI and I don't see any
>> changes in the directory. Are there supposed to be changes there or is
>> this something that is accomplished in Kerberos? I was hoping to be
>> able to search the directory for disabled accounts.
>>
>> Steve
>>
>
> When an account is disabled, nsaccountlock attribute is set to True. I
> would suggest a following LDAP search:
>
> # ldapsearch -h localhost -Y GSSAPI -b cn=users,cn=accounts,$SUFFIX -s one nsaccountlock
> SASL/GSSAPI authentication started
> SASL username: admin at IDM.LAB.BOS.REDHAT.COM
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base<cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> with scope oneLevel
> # filter: (objectclass=*)
> # requesting: nsaccountlock
> #
>
> # admin, users, accounts, idm.lab.bos.redhat.com
> dn: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> nsaccountlock: False
>
> # fbar, users, accounts, idm.lab.bos.redhat.com
> dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> nsaccountlock: True
>
>
> User "fbar" was disabled via CLI.
To add to this, nsaccountlock is an LDAP operational attribute so you
have to specifically ask for it for it to be displayed.
rob
More information about the Freeipa-users
mailing list