>
> On 30/01/2006, at 12:18 PM, Rob Middleton wrote:
>
>> I would worry that even unticking the "access account" box won't
>> fully disable a user. Presumably this just sets or unsets a flag in
>> LDAP. What about a service that just checks the user's password but
>> doesn't check any user information -- it would presume the account
>> is enabled if it can verify the password.
>
> Actually it checks a flag in the PasswordServer, the 'isDisabled'
> property that you can get and set with pwpolicy.
>
> If an account is disabled, standard LDAP authentication will fail, as
> will stuff like /usr/libexec/chkpasswd.
>
>
>> To disable use of an account you need to lock the password (ensure
>> the use of the valid user password always fails). Of course locking
>> an account this way will mean things like email can continue to be
>> delivered to that user account - that user just can't check it.
>>
>> To lock a user account in this way via WGM -- "Advanced" tab, User
>> Password Type - "Options..." - untick "Allow the user to log in".
>
> In terms of authentication I don't see what the difference in these
> two methods is. Both of them simply set the isDisabled property to 1
> in Password Server as far as I can see.
I was just getting ready to post that the two checkboxes do the same
thing, but you beat me to it. :)
FWIW, our logintimes script uses pwpolicy to automate this flag.
Josh
www.afp548.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
