Guillaume Rousse wrote:
Howard Chu a écrit :
> Since the ppolicy module's behavior is dictated by the Behera draft, any
> suggestions for changes in this area should probably first be raised on
> the ietf-ldapext mailing list.
Right, but openldap implementation already have extension, such
pwdCheckModule. Additional extension could be implemented, before
Also, the ietf-ldapext seems to be an highly-technical list, and I don't
feel confortable enough to post this kind of request directly there.
Discussing various limitations of ppolicy among openldap users first
would probably allow openldap core team to suggest a more polished
extension request themselves.
The draft doesn't say anything about setting pwdAccountLockedTime to a value
in the future; since it doesn't preclude it I've fixed up the code to handle
this case. However, it's not a good solution for your purpose, since the
pwdAccountLockedTime value is automatically replaced with the current time if
too many Bind failures occur, and it's automatically deleted when a password
is changed. We'll leave this in HEAD on an experimental basis for now, until a
real solution is spec'd out.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/