I would worry that even unticking the "access account" box won't
fully disable a user. Presumably this just sets or unsets a flag in
LDAP. What about a service that just checks the user's password but
doesn't check any user information -- it would presume the account
is enabled if it can verify the password.
Actually it checks a flag in the PasswordServer, the 'isDisabled'
property that you can get and set with pwpolicy.
If an account is disabled, standard LDAP authentication will fail, as
will stuff like /usr/libexec/chkpasswd.
To disable use of an account you need to lock the password (ensure
the use of the valid user password always fails). Of course locking
an account this way will mean things like email can continue to be
delivered to that user account - that user just can't check it.
To lock a user account in this way via WGM -- "Advanced" tab, User
Password Type - "Options..." - untick "Allow the user to log in".
In terms of authentication I don't see what the difference in these
two methods is. Both of them simply set the isDisabled property to 1
in Password Server as far as I can see.
--
Nigel Kersten [Senior Technical Officer]
College of Fine Arts, University of NSW, Australia.
CRICOS Provider Code: 00098G
