Guillaume.Rousse@inria.fr wrote:
Full_Name: Guillaume Rousse Version: 2.4.16 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (195.83.212.136)
Current ppolicy implementation allows to administratively lock a password, by setting pwdAccountLockedTime attribute to '000001010000Z' value. However, despite this value actually being a generalized date, setting it to any other date in the future doesn't work as expected. Moreover, this is an operational attribute, which is primarily supposed to be handled by slapd itself.
As a consequence, a normal pwdExpirationDate attribute, which itself would set a boolean operational attribute pwdExpired attribute to a true value, would be desirable.
Since the ppolicy module's behavior is dictated by the Behera draft, any suggestions for changes in this area should probably first be raised on the ietf-ldapext mailing list.