Question:
How can I identify a deactivated user
Answer:
You can identify a deactivated user in the ldap by
sambaAcctFlags → for SambaDisabled an additonal “D” is set
shadowExpire → for PosixDisabled this is value 1 instead of 0 or unset
and
krb5KDCFlags → for KerberosDisabled value 254 instead of 126
sambaAcctFlags is difficult to search via ldapsearch
sambaAcctFlags: [U ]
sambaAcctFlags: [UD ]
via udm there is the attribute disabled
disabled = 1
and you can identify the user is disabled with the “!” in the “normal” password hash.
password:
{crypt}!$6$gCDUiOL/mRCXeSNQ$o5zSkuHGMKa2nBWATIFZ.9asA.DIEzQl/MTpX7MBpfMhAub5407KWgcH/sc.U2/awqOHmJUDrqIccbpZzVB0n/
vs
password: {crypt}$6$gCDUiOL/mRCXeSNQ$o5zSkuHGMKa2nBWATIFZ.9asA.DIEzQl/MTpX7MBpfMhAub5407KWgcH/sc.U2/awqOHmJUDrqIccbpZzVB0n/