2015-04-19 11:09 GMT+02:00 Dario Zanzico dario@dariozanzico.com:
On Thu, Apr 16, 2015, at 06:38 AM, rockwang wrote:
Hi, all
I set policy for user as following# default, policies, abc.com dn: cn=default,ou=policies,dc=abc,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMaxAge: 7776002 pwdExpireWarning: 432000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 5 pwdLockout: TRUE pwdLockoutDuration: 900 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE
my question is how to check user lock status.
with this policy an entry will have its password expired (will be denied BIND with a invalid credential message) when # account.pwdLastChange + policy.pwdMaxAge > $currentTimestamp #
This is about password expiration, not password lock status. To check lock, read pwdAccountLockedTime attribute. If it is present, the password is locked.
Clément.