A directory service doesn't make it easy to disable user accounts
July 28, 2011
A typical reaction on Reddit to my earlier entry on the complexity of disabling accounts is this:
Unfortunately, the answer is no; a directory service doesn't make disabling users much easier, not by itself. The problem is inherently complex.
Let's imagine that we have some directory service; it stores user information, including multiple passwords, and it has a 'disabled' flag. What has to pay attention to the 'disabled' flag in an environment like ours?
(Because many of these daemons explicitly run things using
So here's the question: today, how many of your daemons and systems
actually support doing this as they come out of the box? The answer
is almost certainly 'none' or 'very few' (and the example of
Disabling a user using a directory system is only simple if you do not have services that do things on behalf of the user and the user cannot have lingering activity on your systems. This is the case in some environments (such as Windows desktop environments), but it's often not the case in a Unix environment. Where you do have 'on behalf of' services, they have to know to not do things for disabled users; where you have lingering or ongoing activity, something has to know to terminate it. Today this is generally not an integrated feature in anything (at least on Unix; Windows may have better integration for this with AD).
Some but not all of these cases get easier if you can hide (or delete) the disabled user's entry in your directory service. But it isn't a complete solution and it has (probably) undesirably side effects, and the Limoncelli test specifically talked about disabling a user, not deleting them (and hiding a user's entry is much closer to deleting them than simply disabling them).
Comments on this page:
Written on 28 July 2011.
* * *
Atom feeds are available; see the bottom of most pages.