[Freeipa-users] Bash script to see if user is enabled or disabled?
Rob Crittenden
rcritten at redhat.com
Mon May 12 15:36:10 UTC 2014
Chris Whittle wrote:
> I am working on my mac setups and am wanting to ping the server every so
> often and check to see if their user is enabled or disabled. If
> Disabled then I will show them the login screen, log them out or
> something else.. What I need is how to check to see if they are enabled
> or not through bash... Anyone done sometime similar?
It depends on the tools you have. Probably the most common tool would be
ldapsearch. It also depends on your configuration. I'm not very familiar
with configuring macos, so here is my best shot.
Assuming you have a host keytab, you can do something like:
$ kinit host/fqdn.example.com -kt /etc/krb5.keytab
$ ldapsearch -LLL -Y GSSAPI -b
uid=someuser,cn=users,cn=accounts,dc=example,dc=com nsaccountlock
If the value of nsaccountlock is TRUE then the account is disabled. Note
that this is an operational attribute so you need to request it
specifically. The possible values are:
- nothing, the attribute hasn't been set yet
- FALSE, the user is enabled
- TRUE, the user is disabled
You can replace -Y GSSAPI with -x to do an anonymous search.
rob
More information about the Freeipa-users
mailing list