Filter Out Disabled Windows Accounts
January 19th, 2010 by greg
If you use pam_ldap to authenticate against Active Directory you may have a problem you never thought of. You may be allowing disabled accounts access to your system. Use the following filter to exclude disabled accounts. The filter looks at the userAccountControl field which is a bit field. It checks the single bit that determines if an account is enabled or disabled. This snippet belongs in /etc/pam_ldap.conf.
pam_filter &(objectclass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
On second thought this might not be desirable. This will filter out disabled accounts making them appear as though they do not exist which is different than being disabled.
This entry was posted on Tuesday, January 19th, 2010 at 11:35 am and is filed under Geek, Tips. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
