directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@gmail.com>
Subject Re: Missing information on how to lock a user account
Date Sun, 22 Feb 2009 15:21:04 GMT
On Fri, Feb 20, 2009 at 6:49 AM, Stefan Zoerner <stefan@labeo.de> wrote:

> Emmanuel Lecharny wrote:
>
>> What do you mean exactly ? It's an LDAP server, and the authentication
>> system will just look for a user which DN is given, and compare its
>> credential with what has been passed to the Bind Request operation (at
>> least for a Simple authentication).
>>
>> Either the user exists and its credential are valid, and the user will
>> be authenticated, or one of the two previous condition are not met,
>> and the user won't be authenticated. There are no notion of
>> enabled/disabled users, or locked.
>>
>> Did I misinterpretated your need ?
>>
>>  By checking the documentation I did not find any hint related to this
>>> action, either. So I don't know if this feature is supported by the
>>> Apache DS at all.
>>>
>>
>
> Just in addition to Emmanuel (who is right), Mike perhaps compares it to
> vendor specific features, some LDAP servers provide (Active Directory, IBM
> Tivoli, etc.).
>
> You have different options to mimic such requirements with Standard LDAP
> functionality in ApacheDS. The easiest I have in mind is simply deleting the
> user entry. Other options depend on how you authenticate.
>
> It is perhaps sufficient to remove the user from some group, or to remove
> his/her password attribute from the user entry. I have other things which
> would work in mind as well, but it depends on your exact requirements,
> whether they work or not.
>

Yep removing the userPassword attribute or even using an ACI can do it.  I'd
personally just remove the userPassword attribute.

Alex

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message