We wanted to grant access to a specific group of people to be able to deactivate accounts in UCS. After analyzing the system, the following LDAP attributes were identified as essential for deactivating a user:
- krb5KDCFlags
- sambaAcctFlags
- shadowExpire
A test user was deactivated using ldapmodify with the following modifications:
$ ldapmodify -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret <<EOR
dn: uid=user123,cn=users,dc=domain,dc=intranet
changetype: modify
replace: krb5KDCFlags
krb5KDCFlags: 254
-
replace: sambaAcctFlags
sambaAcctFlags: [UD ]
-
add: shadowExpire
shadowExpire: 1
EOR
After applying these changes, the test user was marked as ‘deactivated’ in UDM and UMC.
If you need to revert the changes and reactivate the user, use the following command:
$ ldapmodify -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret <<EOR
dn: uid=user123,cn=users,dc=domain,dc=intranet
changetype: modify
replace: krb5KDCFlags
krb5KDCFlags: 126
-
replace: sambaAcctFlags
sambaAcctFlags: [U ]
-
delete: shadowExpire
EOR