[ale] disabled accounts and pam
Dan Newcombe
Newcombe at mordor.clayton.edu
Wed Jun 27 15:54:32 EDT 2001
On Wed, 27 Jun 2001, Clint Ricker wrote:
> Two possible solutions...if you are wanting to disable accross the
> network, then append a SUSPEND (or something else obvious) to their
> password block so their password doesn't match. Then remove it to
> reenable the account. Another method is to just change their shell
> (assuming a unix only environment).
I'm leaning towards the "temporary copy of the password before replacing"
solution. The problem with the shell solution is that pop/imap just
doesn't seem to care. I'll have to look into their pam config files
though. perhaps adding a pam_shells line will clear this all up.
Thanks for poking the ole noggin.
> If you are wanting to disable the account only for a particularly system,
> set /etc/nsswitch.conf file is set to do files before ldap (it probably
> is a good idea to do this anyway), and then create the account on the
> local system.
Nope...it's all or nothing and needs to be a ldapable solution. Methinks
it's time for a /disabled to become a shell :)
-Dan
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list