----- Original Message ----- From: Howard Chu hyc@symas.com Date: Friday, March 14, 2008 2:55 am Subject: Re: Grace period for inactive accounts? To: Gavin Henry ghenry@openldap.org Cc: openldap-software@openldap.org, John Maki jmaki66@yahoo.com
Gavin Henry wrote:
John Maki wrote:
Hi, I'm using Openldap 2.3.38 with the ppolicy overlay on a Fedora 7 x86-64 server. Is there any functionality built in to provide account locking after a certain length of time after a password expires? Similiar to pwdGraceAuthnLimit but based on time rather than number of login attempts? I'd like to be able to lock accounts after a period of inactivity. Or am I missing some other way of doing this?
There's nothing I can see or know about. Anyone else?
Read the spec.
Seems to me that you just need to judiciously set up ppolicy. set pwdMaxAge to the max time you want your users to be able to have an inactive account then set pwdGraceAuthnLimit to 0
then if a user hasn't logged in within your set amount of time their account will be locked.
This is pretty harsh though. You could probably set pwdExpireWarning to some small value and set pwdGraceAuthnLimit to 1 so they have once chance to log in with an expired passwd and change it.