Home Forums OS X Server and Client Discussion Open Directory Disable user CLI

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • March 13, 2009 at 10:44 pm #375694
    rstasel
    Participant

    Anyone know what gets toggled in OD when you disable an account in WGM? I did an ldif export before and after, and diff’d the files, and there is no difference. So it must be setting something in PasswordServer. Any idea what? Can it be twiddled from the command line, or am I just going to be forced to set a keyword, then disable accounts in WGM after searching for that keyword?

    Thanks!

    March 14, 2009 at 6:23 pm #375697
    arekdreyer
    Member

    You are correct – whether or not the user is disbled is not an attribute stored in LDAP.
    That seems wrong at first, doesn’t it?

    But remember that LDAP is only used to IDENTIFY to the user. The password server and
    KDC are used to provide authentication.

    So the Workgroup Manager checkbox for “User can access account” really should
    be “allow user to authenticate”, but that’s too pedantic.

    The “enable or not” setting is an attribute stored in the password server (isDisabled).

    You can use mkpassdb to look at the user’s password server properties,
    but first use mkpassdb -dump to find the user’s password server slot-ID.

    March 14, 2009 at 7:15 pm #375698
    rstasel
    Participant

    That actually makes a lot of sense. It sucks in that, it doesn’t appear it’s that easy to make changes to that system like it is to the OD system (dscl). I see easily enough if they’re disabled… but disabling their account from the cli doesn’t look trivial.

    Think my best bet is going to be the keyword approach then (look at the list of users that should have accounts compared to who do have accounts, if someone has an account that shouldn’t, use dscl to set a keyword of “expired” on the account. Then use WGM to disable/delete “expired” accounts).

    Thanks a bunch arekdreyer…

    March 15, 2009 at 4:47 pm #375699
    arekdreyer
    Member

    Sorry, I should have pointed you to pwpolicy not mkpassdb.

    This is probably exactly what you want:
    [code]pwpolicy -a diradmin -u userxyz -setpolicy “isDisabled=1”
    [/code]

    You’ll be prompted for the directory administrator’s password
    unless you provide the password with -p.

    March 15, 2009 at 6:05 pm #375700
    rstasel
    Participant

    crap. that’s perfect!

    Thanks!

    So, got any idea why the “allow simultaneous login on managed clients” doesn’t seem to work (unchecking it doesn’t prevent people from logging in multiple times)? Looking on the web, it looks like it’s a known issue, but… I know this setting is held in OD (diffing a before and after ldif points to the mcx policy stuff…)

    Oh, and why “old” users that were migrated from 10.3 to 10.4, then to 10.5, don’t work with iCal server (you select an iCal server, and hit save, only to see the box be unchecked again).

    Thanks again!

    March 16, 2009 at 5:05 am #375705
    rstasel
    Participant

    we are using network homes.

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.