You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Mike Jaeger <mi...@est.fujitsu.com> on 2009/02/20 10:15:51 UTC
Missing information on how to lock a user account
Hello,
We just started to use the Apache DS in our testing environment and
faced the following problem: It is not clear how to lock or disable a
user account.
By checking the documentation I did not find any hint related to this
action, either. So I don’t know if this feature is supported by the
Apache DS at all.
It would be nice if you could provide some details on this issue.
One more note: I would find it really helpful to have a link to a
mailing list or forum where this kind of question can be asked, but I
did not find an according link on the site.
Best regards,
Mike Jäger
Senior Engineer
FUJITSU Enabling Software Technology GmbH
Frankfurter Ring 211
D-80807 München
Tel: +49 89 360 908 538
Fax: +49 89 360 908 245
COINS: 7941-6538
Sitz der Gesellschaft: München
AG München, HRB 143325
Geschäftsführer: Franz Buchenberger, Dr. Yuji Takada
Re: Missing information on how to lock a user account
Posted by Alex Karasulu <ak...@gmail.com>.
On Fri, Feb 20, 2009 at 7:28 AM, Emmanuel Lecharny <el...@apache.org>wrote:
> > Just in addition to Emmanuel (who is right), Mike perhaps compares it to
> > vendor specific features, some LDAP servers provide (Active Directory,
> IBM
> > Tivoli, etc.).
>
...
>
> It's
> just a matter of adding an operational attribute into a specific
> ObjectClass and set it when we want to disable a user, for instance
> (just an idea whihc migh be dig a bit more)
>
>
You can add operational attributes to any entry without the need to define
it in an objectClass. Only application usage attributes need to be defined.
Alex
Re: Missing information on how to lock a user account
Posted by Alex Karasulu <ak...@gmail.com>.
On Fri, Feb 20, 2009 at 9:21 AM, Stefan Zoerner <st...@labeo.de> wrote:
> Emmanuel Lecharny wrote:
>
>> Just in addition to Emmanuel (who is right), Mike perhaps compares it to
>>> vendor specific features, some LDAP servers provide (Active Directory,
>>> IBM
>>> Tivoli, etc.).
>>>
>>
>> I would like to know about those features, because I think it might be
>> valuable - and really easy - to add them into ADS, if needed. It's
>> just a matter of adding an operational attribute into a specific
>> ObjectClass and set it when we want to disable a user, for instance
>> (just an idea whihc migh be dig a bit more)
>>
>
> We can think about implementing parts of this
>
> http://tools.ietf.org/draft/draft-behera-ldap-password-policy/
>
> It is interesting in general, and contains a chapter about locking accounts
> as well.
>
> Unfortunately, the draft has never become an RFC, and is expired now, as
> far as I know.
>
> Something for the "After 2.0" time, perhaps.
>
Yes I agree we need this in LDAP to be standardized and implemented for
ADS. We could still implement the draft with careful consideration for
drawbacks in the draft but again this would have to be after 2.0.
Alex
Re: Missing information on how to lock a user account
Posted by Stefan Zoerner <st...@labeo.de>.
Emmanuel Lecharny wrote:
>> Just in addition to Emmanuel (who is right), Mike perhaps compares it to
>> vendor specific features, some LDAP servers provide (Active Directory, IBM
>> Tivoli, etc.).
>
> I would like to know about those features, because I think it might be
> valuable - and really easy - to add them into ADS, if needed. It's
> just a matter of adding an operational attribute into a specific
> ObjectClass and set it when we want to disable a user, for instance
> (just an idea whihc migh be dig a bit more)
We can think about implementing parts of this
http://tools.ietf.org/draft/draft-behera-ldap-password-policy/
It is interesting in general, and contains a chapter about locking
accounts as well.
Unfortunately, the draft has never become an RFC, and is expired now, as
far as I know.
Something for the "After 2.0" time, perhaps.
Greetings from Hamburg,
Stefan
Re: Missing information on how to lock a user account
Posted by Emmanuel Lecharny <el...@apache.org>.
> Just in addition to Emmanuel (who is right), Mike perhaps compares it to
> vendor specific features, some LDAP servers provide (Active Directory, IBM
> Tivoli, etc.).
I would like to know about those features, because I think it might be
valuable - and really easy - to add them into ADS, if needed. It's
just a matter of adding an operational attribute into a specific
ObjectClass and set it when we want to disable a user, for instance
(just an idea whihc migh be dig a bit more)
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: Missing information on how to lock a user account
Posted by Alex Karasulu <ak...@gmail.com>.
On Fri, Feb 20, 2009 at 6:49 AM, Stefan Zoerner <st...@labeo.de> wrote:
> Emmanuel Lecharny wrote:
>
>> What do you mean exactly ? It's an LDAP server, and the authentication
>> system will just look for a user which DN is given, and compare its
>> credential with what has been passed to the Bind Request operation (at
>> least for a Simple authentication).
>>
>> Either the user exists and its credential are valid, and the user will
>> be authenticated, or one of the two previous condition are not met,
>> and the user won't be authenticated. There are no notion of
>> enabled/disabled users, or locked.
>>
>> Did I misinterpretated your need ?
>>
>> By checking the documentation I did not find any hint related to this
>>> action, either. So I don't know if this feature is supported by the
>>> Apache DS at all.
>>>
>>
>
> Just in addition to Emmanuel (who is right), Mike perhaps compares it to
> vendor specific features, some LDAP servers provide (Active Directory, IBM
> Tivoli, etc.).
>
> You have different options to mimic such requirements with Standard LDAP
> functionality in ApacheDS. The easiest I have in mind is simply deleting the
> user entry. Other options depend on how you authenticate.
>
> It is perhaps sufficient to remove the user from some group, or to remove
> his/her password attribute from the user entry. I have other things which
> would work in mind as well, but it depends on your exact requirements,
> whether they work or not.
>
Yep removing the userPassword attribute or even using an ACI can do it. I'd
personally just remove the userPassword attribute.
Alex
Re: Missing information on how to lock a user account
Posted by Stefan Zoerner <st...@labeo.de>.
Emmanuel Lecharny wrote:
> What do you mean exactly ? It's an LDAP server, and the authentication
> system will just look for a user which DN is given, and compare its
> credential with what has been passed to the Bind Request operation (at
> least for a Simple authentication).
>
> Either the user exists and its credential are valid, and the user will
> be authenticated, or one of the two previous condition are not met,
> and the user won't be authenticated. There are no notion of
> enabled/disabled users, or locked.
>
> Did I misinterpretated your need ?
>
>> By checking the documentation I did not find any hint related to this
>> action, either. So I don't know if this feature is supported by the
>> Apache DS at all.
Just in addition to Emmanuel (who is right), Mike perhaps compares it to
vendor specific features, some LDAP servers provide (Active Directory,
IBM Tivoli, etc.).
You have different options to mimic such requirements with Standard LDAP
functionality in ApacheDS. The easiest I have in mind is simply deleting
the user entry. Other options depend on how you authenticate.
It is perhaps sufficient to remove the user from some group, or to
remove his/her password attribute from the user entry. I have other
things which would work in mind as well, but it depends on your exact
requirements, whether they work or not.
Greetings from Hamburg,
Stefan
Re: Missing information on how to lock a user account
Posted by Emmanuel Lecharny <el...@apache.org>.
Hi Mike,
On Fri, Feb 20, 2009 at 10:15 AM, Mike Jaeger
<mi...@est.fujitsu.com> wrote:
> Hello,
>
>
>
> We just started to use the Apache DS in our testing environment and
> faced the following problem: It is not clear how to lock or disable a
> user account.
What do you mean exactly ? It's an LDAP server, and the authentication
system will just look for a user which DN is given, and compare its
credential with what has been passed to the Bind Request operation (at
least for a Simple authentication).
Either the user exists and its credential are valid, and the user will
be authenticated, or one of the two previous condition are not met,
and the user won't be authenticated. There are no notion of
enabled/disabled users, or locked.
Did I misinterpretated your need ?
> By checking the documentation I did not find any hint related to this
> action, either. So I don't know if this feature is supported by the
> Apache DS at all.
>
>
>
> It would be nice if you could provide some details on this issue.
What could help also is that you provide some information related to
your need which are available in other LDAP servers. May be I'm
missing something here.
> One more note: I would find it really helpful to have a link to a
> mailing list or forum where this kind of question can be asked, but I
> did not find an according link on the site.
http://directory.apache.org/community%26resources/mailing-lists-and-irc.html
This is the place. And this mailing list is just the perfect place. We
don't have forums, but the mails are archived, and you can consult
those archives.
Hope it helps (a bit :)
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com