Guillaume Rousse wrote:
Howard Chu a écrit :
Since the ppolicy module's behavior is dictated by the Behera draft, any suggestions for changes in this area should probably first be raised on the ietf-ldapext mailing list.
Right, but openldap implementation already have extension, such pwdCheckModule. Additional extension could be implemented, before getting standardized.
Also, the ietf-ldapext seems to be an highly-technical list, and I don't feel confortable enough to post this kind of request directly there. Discussing various limitations of ppolicy among openldap users first would probably allow openldap core team to suggest a more polished extension request themselves.
The draft doesn't say anything about setting pwdAccountLockedTime to a value in the future; since it doesn't preclude it I've fixed up the code to handle this case. However, it's not a good solution for your purpose, since the pwdAccountLockedTime value is automatically replaced with the current time if too many Bind failures occur, and it's automatically deleted when a password is changed. We'll leave this in HEAD on an experimental basis for now, until a real solution is spec'd out.