account management pam_ldap+nss_ldap

[Cezar Fistik]

Hello all,

I would greatly appreciate if someone could help me or point me to the right place to find a solution to the following problem. I have a system (5.3-release) configured to do user authentication through pam and ldap using map_ldap.so and nss_ldap.so. Everything is fine with that configuration, I am able to login, ssh and ftp to the system using users configured only in ldap with no problem.

What I'm looking for is a way to manage these accounts, I mean to temporarily disable (locking) an account or a group of accounts, like "pw lock username", set accounts expiration date and so on. I spent the last 2 days searching but found nothing, or maybe I was looking in wrong places?
Please if someone did things like described above, help me. Actually, I'm most interested in disabling/enabling an ldap account/group without deleting it.

I was trying to find a solution myself and have thought of following. To create an ldap schema file which will have an objectclass with the accountEnabled attribute (and maybe some others too). To include this objectclass for DNs containing users and somehow to create a filter in nss_ldap config file wich will do the filtering taking into account the accountEnabled flag. What do you think of this approach? I would appreciate any suggestions.

Thanks, 
Cezar Fistik