[TriLUG] Need some help with LDAP

Matthew Pusateri mpusateri at wickedtrails.com
Thu Aug 28 16:38:55 EDT 2008 

I've seen several things done.

1. change login name from "user" to "Xuser" where X or XXX is some  
combination known only to the admin, this way the user has to know the  
new login name.   Yes security through obscurity.  One advantage to  
this is you can see who owned the files instead of just seeing a UID  
number.
2. change the password.
3. if using samba schema, I believe there is a field to disable in  
samba, but I don't know it in front of me.  I know when I use  
Directory Administrator to manage the LDAP accounts, I believe it had  
a Windows disable check box.  I could be wrong.  Directory  
Administrator is one of my favorite LDAP GUI admin tools.
4. If your using the password policy schema, you could set the account  
locked out, set the account lockout period to some distant future  
date, set the max password attempts and such.
5. make sure you also delete/move/rename and .ssh directories or keys  
as ssh keys can bypass PAM.


Matt P.

On Aug 28, 2008, at 4:04 PM, Brian Blater wrote:

> Hey LUGers,
>
> I'm getting started on a Proof of Concept here at $WORK where I would
> like to show the possibility of getting rid of our MS SBS boxes and
> putting a Linux server in place to show we can have the same
> functionality etc but get more bang for the buck.
>
> I've setup one of our Dell servers with Ubuntu Hardy Server and have
> installed DHCP, DNS, Postfix, Apache, PHP, MySQL, Samba, Webmin and
> LDAP. So far so good. I've been working on the LDAP database and
> getting everything to work with that. One issue that came up with LDAP
> is the ability to disable a user account. We don't immediately delete
> a user account, but disable it for a time and then later delete it. I
> have looked for something in LDAP to mark an account as disabled but
> for the life of me I can't find anything. My Google searches didn't
> turn up anything that logically worked (maybe I was just looking for
> the wrong terms.)
>
> Anyways, I believe there are several of you out there that have setup
> account management using LDAP and I'm wondering how you have been able
> to disable an account? Thanks for any help you can give me as I try to
> get make Linux more visible in our organization.
>
> Thanks,
> Brian
> -- 
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions

More information about the TriLUG mailing list