On Wednesday 05 March 2008 03:38:57 Zhang Weiwu wrote:

Dear all

By googling around I saw a lot of questions were asked for this, but either not answered or gets answered without practical how-to:

http://archives.devshed.com/forums/networking-100/question-pertaining-to-pp olicy-overlay-feature-1334235.html http://www.mail-archive.com/openldap-software@openldap.org/msg08718.html http://www.openldap.org/lists/openldap-software/200509/msg00219.html

Let's say, the admin user wishes to unlock an user, without changing his password or resetting his password, what should he do? should he deletes all pwdLockedTime for the locked user? should he deletes pwdAccountLockedTime for the locked user?

I actually just had to do this, as I locked myself out while testing, deleting pwdAccountLockedTime works on 2.3.40, though the schema definition for the attribute in the slapo-ppolicy man page seems to indicate it can't be modified while the one used in the ppolicy.c source indicates it can):

{ "( 1.3.6.1.4.1.42.2.27.8.1.17 " "NAME ( 'pwdAccountLockedTime' ) " "DESC 'The time an user account was locked' " "EQUALITY generalizedTimeMatch " "ORDERING generalizedTimeOrderingMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 " "SINGLE-VALUE " #if 0 /* Not until MANAGEDIT control is released */ "NO-USER-MODIFICATION " #endif

Regards, Buchan