Is it possible to disable ldap passwords for a user without disabling their account?

jamie

8/31/24, 2:29 PM

We have a cluster that uses an internal LDAP domain for user authentication that previously used passwords stored in LDAP. We have now moved the login machine to use krb5 for password authentication against an external kdc. We would like to remove the local LDAP passwords if we can. Is there an equivalent in ldap to the traditional unix auth command usermod -p '!' user?

1 + 1

linux

ldap

passwd

user1686

9/1/24, 8:41 AM

What LDAP server are you using? Not all of them work the same way.

Score:0

Server

user1686

9/1/24, 8:41 AM

For OpenLDAP – remove the userPassword attribute from each user account.

There are no standard commands, you'll need ldapsearch | some awk/sed/grep | ldapmodify, or script the batch update using Perl/Python

Alternatively: You can have the LDAP server validate plain passwords against Kerberos by setting each user's userPassword attribute to {SASL}user@REALM and running the saslauthd -a krb5 daemon to perform password validation. (Of course, this is not as good as actual Kerberos authentication.)

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it possible to disable ldap passwords for a user without disabling their account?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.