Hi all,

I'm running OpenLDAP 2.4.44 in Docker on Ubuntu, and have a requirement to lock accounts after they've been idle for a certain amount of time.

As I understand there's no native way to do this, I've written a python script that loops over and checks the authTimestamp from the lastbind overlay, which is all good.  To lock the account I set the pwdAccountLockTime to the timestamp, which all works well with the ppolicy overlay in place.

The problem becomes when we want to unlock the accounts, and give the end users a chance to auth so it will clear out the lock.  My understanding from reading the code was that I could set the timestamp for pwdAccountLockTime into the future, and it should expire the account when it gets to that time.  This gives the users a grace period in which to authenticate.

However when I do this, the account still seems locked - authentication still says invalid credentials, but when I remove the pwdAccountLockTime attribute the same password works.  I've tried with both pwdLockoutDuration set to 0 and a non zero value, and pwdLockout is set to True.

I also investigated using pwdEndTime and pwdStartTime as per the "Password Policy for LDAP Directories" draft policy, but apparently this isn't implemented.

Should any of this be working?  Am I missing any piece of this puzzle here?  Has anyone got any suggestions on how to solve this problem, either via the approach I'm trying or any alternative solution?  Please let me know if I've left any useful information out about this.

Thanks,
Brad
-- 
Brad Marshall
brad.marshall@gmail.com