Full_Name: Guillaume Rousse
Submission from: (NULL) (22.214.171.124)
Current ppolicy implementation allows to administratively lock a password, by
setting pwdAccountLockedTime attribute to '000001010000Z' value. However,
despite this value actually being a generalized date, setting it to any other
date in the future doesn't work as expected. Moreover, this is an operational
attribute, which is primarily supposed to be handled by slapd itself.
As a consequence, a normal pwdExpirationDate attribute, which itself would set
boolean operational attribute pwdExpired attribute to a true value, would be
Since the ppolicy module's behavior is dictated by the Behera draft, any
suggestions for changes in this area should probably first be raised on the
ietf-ldapext mailing list.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/