One solution is to:
pwpolicy -a diradmin -u ajohnson -setpolicy "isDisabled=1"
But this doesn't disable the local useraccount (if there is one),
so then you would have to do:
sudo dscl . -create /Users/ajohnson UserShell /usr/bin/false
And this must be synced via some sort of scrip (idiotic infrastructure server solution.. it's not a server unless the user depends on it, then it's just a can with a bunch of server software running standalone).
There's also some other workarounds described here:
But none of these does what i want to do, i want to unify the whole adminisration via a web-gui (or a opengl built gui) hat can interact with the system running the accounts (LDAP).
So why in the name of the green planet can't i access all the data where it's designed to be? deviant apple is deviant..