On Sat, Jun 28, 2008 at 07:21:44PM -0700, Howard Chu wrote:
pwdFailureTime cannot be modified directly, so I think there is a case for clearing it when pwdAccountLockedTime is cleared explicitly.
Technically, you're not supposed to be able to modify pwdAccountLockedTime directly either. The current behavior is a temporary hack. The only legitimate way to remove those attributes is by setting a new password. I'm rejecting this ITS.
Indeed, though draft-behera-ldap-password-policy-xx.txt is a bit unclear on the subject of that attribute:
5.3.3 pwdAccountLockedTime
This attribute holds the time that the user's account was locked. A locked account means that the password may no longer be used to authenticate. A 000001010000Z value means that the account has been locked permanently, and that only a password administrator can unlock the account.
One reading of that clause is that *setting* pwdAccountLockedTime to 000001010000Z is the way to lock an account by administrative action. There does not appear to be anything in the I-D that would cause the server to set that value itself. The current implementation does allow admins to set the value, which appears to be the only way to lock/unlock an account without changing the password.
I would certainly prefer to have separate attributes for 'admin lock' and 'auto lock'.
Andrew