#!/bin/sh -e

##########################################################################
#   Script description:
#       Disable local password for user, so they must use a service
#       such as LDAP or AD, or are locked out of the system.
#   
#   History:
#   Date        Name        Modification
#   2019-06-25  Jason Wayne Bacon - UITS/UITS - SysadminBegin
##########################################################################

usage()
{
    printf "Usage: $0 username\n"
    exit 1
}


##########################################################################
#   Main
##########################################################################

if [ $# != 1 ]; then
    usage
fi
user_name=$1

case $(auto-ostype) in
FreeBSD)
    # pw lock blocks all authentication methods, so just munge the pw manually
    # with a !! to disable the local password.
    pw=$(awk -F : -v user_name=$user_name '$1 == user_name { print $2 }' /etc/master.passwd)
    printf "${pw#!!}\n" | pw usermod $user_name -H 0
    printf "Don't forget to set password expiration with pw if needed.\n"
    ;;

RHEL)
    # passwd -l only blocks local password.  LDAP, AD, etc will still work.
    passwd -u $user_name
    printf "Don't forget to set password expiration with chage if needed.\n"
    ;;

*)
    auto-unsupported-os $0
    exit 1
    ;;

esac
