From owner-freebsd-questions@FreeBSD.ORG Thu Nov 18 18:15:27 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 065D816A4D7 for ; Thu, 18 Nov 2004 18:15:27 +0000 (GMT) Received: from mail.arax.md (mail.arax.md [217.26.160.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D9FB43D1D for ; Thu, 18 Nov 2004 18:15:10 +0000 (GMT) (envelope-from cezar@arax.md) Received: from qvirtual (helo=mail.arax.md) by mail.arax.md with local-smtp (Exim 4.31; FreeBSD) id 1CUqoG-0004Dl-QC for freebsd-questions@freebsd.org; Thu, 18 Nov 2004 20:15:08 +0200 Received: from cezar.arax.md ([217.26.161.51] helo=cezar) by mail.arax.md with smtp (Exim 4.31; FreeBSD) id 1CUqoG-0004DY-Cf for freebsd-questions@freebsd.org; Thu, 18 Nov 2004 20:15:08 +0200 Message-ID: <003401c4cd9a$f31cb8e0$33a11ad9@office.arax.md> From: "Cezar Fistik" To: Date: Thu, 18 Nov 2004 20:18:00 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: account management pam_ldap+nss_ldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Nov 2004 18:15:27 -0000 Hello all, I would greatly appreciate if someone could help me or point me to the = right place to find a solution to the following problem. I have a system = (5.3-release) configured to do user authentication through pam and ldap = using map_ldap.so and nss_ldap.so. Everything is fine with that = configuration, I am able to login, ssh and ftp to the system using users = configured only in ldap with no problem. What I'm looking for is a way to manage these accounts, I mean to = temporarily disable (locking) an account or a group of accounts, like = "pw lock username", set accounts expiration date and so on. I spent the = last 2 days searching but found nothing, or maybe I was looking in wrong = places? Please if someone did things like described above, help me. Actually, = I'm most interested in disabling/enabling an ldap account/group without = deleting it. I was trying to find a solution myself and have thought of following. To = create an ldap schema file which will have an objectclass with the = accountEnabled attribute (and maybe some others too). To include this = objectclass for DNs containing users and somehow to create a filter in = nss_ldap config file wich will do the filtering taking into account the = accountEnabled flag. What do you think of this approach? I would = appreciate any suggestions. Thanks,=20 Cezar Fistik=20