On Sat, Jun 28, 2008 at 07:21:44PM -0700, Howard Chu wrote: Indeed, though draft-behera-ldap-password-policy-xx.txt is a bit unclear on the subject of that attribute: 5.3.3 pwdAccountLockedTime This attribute holds the time that the user's account was locked. A locked account means that the password may no longer be used to authenticate. A 000001010000Z value means that the account has been locked permanently, and that only a password administrator can unlock the account. One reading of that clause is that *setting* pwdAccountLockedTime to 000001010000Z is the way to lock an account by administrative action. There does not appear to be anything in the I-D that would cause the server to set that value itself. The current implementation does allow admins to set the value, which appears to be the only way to lock/unlock an account without changing the password. I would certainly prefer to have separate attributes for 'admin lock' and 'auto lock'. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------