On Mon, Apr 20, 2015, at 09:27 AM, Clément OUDOT wrote:
2015-04-19 11:09 GMT+02:00 Dario Zanzico dario@dariozanzico.com:
[cut]
This is about password expiration, not password lock status. To check lock, read pwdAccountLockedTime attribute. If it is present, the password is locked.
you're right, i misunderstood OP message. but checking for the pwdAccountLockedTime presence is not enough, because the attribute is not automatically deleted after pwdLockoutDuration seconds. It's removed only if the entry binds succesfully after at least pwdLockoutDuration seconds after pwdAccountLockedTime. The test should then be:
user_locked = (entry.pwdAccountLockedTime + policy.pwdLockoutDuration) > $currentTimestamp
The attribute pwdAccountLockedTime can also be set to the special value 000001010000Z (administrative lockout). if we consider this case too, the test becomes:
user_locked = ( entry.pwdAccountLockedTime == 000001010000Z ) || ( (entry.pwdAccountLockedTime + policy.pwdLockoutDuration) > $currentTimestamp )
Clément.
dario