[Freeipa-users] howto ldapsearch for disabled/enabled users?
Martin Kosek
mkosek at redhat.com
Mon Apr 18 10:29:53 UTC 2016
On 04/15/2016 04:06 PM, Harald Dunkel wrote:
> Hi David,
>
> On 04/15/16 15:11, David Kupka wrote:
>>
>> Hello Harri,
>>
>> the attribute you're looking for is 'nsaccountlock'. This command should give you uids of all disabled users:
>>
>> $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test "(nsaccountlock=TRUE)" uid
>>
>
> Thats exactly what I was looking for. For the record: Searching for
> "nsaccountlock=FALSE" did not work. I had to use
>
> ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test '(!(nsaccountlock=TRUE))' uid
>
> instead.
Right, this is because nsaccountlock is not with a user by default, it will be
there after the first time the user is administratively disabled and then enabled.
More information about the Freeipa-users
mailing list