<quote who="Scott Classen">
----- Original Message ----- From: Howard Chu hyc@symas.com Date: Friday, March 14, 2008 2:55 am Subject: Re: Grace period for inactive accounts? To: Gavin Henry ghenry@openldap.org Cc: openldap-software@openldap.org, John Maki jmaki66@yahoo.com
Gavin Henry wrote:
John Maki wrote:
Hi, I'm using Openldap 2.3.38 with the ppolicy overlay on a Fedora 7 x86-64 server. Is there any functionality built in to provide account locking after a certain length of time after a password expires? Similiar to pwdGraceAuthnLimit but based on time rather than number of login attempts? I'd like to be able to lock accounts after a period of inactivity. Or am I missing some other way of doing this?
There's nothing I can see or know about. Anyone else?
Read the spec.
Seems to me that you just need to judiciously set up ppolicy. set pwdMaxAge to the max time you want your users to be able to have an inactive account then set pwdGraceAuthnLimit to 0
This won't work unless he means "after a period of inactivity" to be actually changing their password.
For example, if he wants to lock an account after 15 days of no logins, then if a user logs in on day 14, he would expect the lockout period to be reset. However, to reset it the user would have to change their password so pwdChangeTime updates.
Or am I way off?
then if a user hasn't logged in within your set amount of time their account will be locked.
This is pretty harsh though. You could probably set pwdExpireWarning to some small value and set pwdGraceAuthnLimit to 1 so they have once chance to log in with an expired passwd and change it.