4 Replies Latest reply: Apr 17, 2013 12:13 AM by hvornum
hvornum Level 1 Level 1



For some reason, Apple is great at just changing the syntax or path of <insert random feature here>.

And thus, I'm having trouble disabling (not locking a account, that seems to work fine by setting pwdLastSet to 0) which should disable the user from logging in.


The reason being is that i'm creating a scenario where:


* User tries to login 3 times -> Gets locked out

  * A script running in the background unlocks the account after 30min or so


In between or even after the system adminitrator has a neat button to disable accounts and it shouldn't just lock out the accounts because that would sort of defeat the purpose of the script and the whole locked-out mechanism but rather disable the account all togeather rendering the users account invalid for logins even if the correct password is supplied and the account is unlocked/never locked in the first place.



Is this possible? and where do i get & set this value because it sure isn't stored in the LDAP directory any longer (or wasn't even in the first place?).



Script language: PHP





(Note: I come from a Unix and some what Windows background and finding things in OSX is more confusing than not since 80% of the guides and documentation is obsolete if you even manage to find any on the interwebs, hence why i need help with even the basic stuff as figuring out how and where the mechanics are for different password/account parts)

Virtual and Some default server?, OS X Server, PHP, Apache, OpenLDAP (?)
  • hvornum Level 1 Level 1

    Anyone ever worked with managing users from a script environment? Or is my question this badly formatted?


    OSX Server is one of the most poorly documented serverplatforms out there, I would think that the official forum on apple.com would have a solution to this dilemma tho.

  • Keith Barkley Level 5 Level 5

    I am not sure what you mean by an "official" forum. While it is run by Apple, we are all just users like yourself. There are very few posts by Apple employees. You might want to submit a bug report for this.

  • hvornum Level 1 Level 1

    As the non-apple geek that i am, where do i file a bug report?

    (I understand that the majority of the forum is run by users, that's the way it normally works but it's suprising how few people there are that works with OSX Server)

  • hvornum Level 1 Level 1

    One solution is to:


    pwpolicy -a diradmin -u ajohnson -setpolicy "isDisabled=1"


    But this doesn't disable the local useraccount (if there is one),

    so then you would have to do:


    sudo dscl . -create /Users/ajohnson UserShell /usr/bin/false


    And this must be synced via some sort of scrip (idiotic infrastructure server solution.. it's not a server unless the user depends on it, then it's just a can with a bunch of server software running standalone).


    There's also some other workarounds described here:

    http://serverfault.com/questions/61214/how-can-i-disable-a-user-account-from-the -cli-with-mac-os-x-server


    But none of these does what i want to do, i want to unify the whole adminisration via a web-gui (or a opengl built gui) hat can interact with the system running the accounts (LDAP).

    So why in the name of the green planet can't i access all the data where it's designed to be? deviant apple is deviant..