Pwdaccountlockedtime isn't an attribute that can be set in the database since ppolicy is now compiled into openldap as opposed to it being a schema that's pulled in and that attribute is not defined in the source code. I would say that, based on the man page, it's a bug.
On 12/27/21 12:04, Ulrich Windl wrote:
>>>> kevin martin <ktmdms@gmail.com> schrieb am 22.12.2021 um 22:42 in Nachricht
> <CACyJYa2V+d1Cv6TgK7PzWS36ij-aih6STL2jE2HZv0R-DwoRow@mail.gmail.com>:
>> it appears from looking at ppolicy.c that pwdAccountLockedTime is not
>> supported in openlda. is there another way to lock a users account in
>> openldap outside of simply changing the users password?
>
> I found out the hard way: When all grace logins were consumed after
> the user should have changed the password, the user can no longer log
> in (and he/she cannot change the password either).
But that's not what the original poster asked for.
See slapo-policy(5) [1]:
"If pwdAccountLockedTime is set to 000001010000Z, the user's account has
been permanently locked and may only be unlocked by an administrator."
IIRC this works. If not, then it's a bug.
In Æ-DIR I let admins maintain a status attribute 'aeStatus' which is
also evaluated by ACLs on userPassword to deactivate authentication
(auth privilege granted to anonymous only for active entries).
Ciao, Michael.
[1] https://www.openldap.org/software/man.cgi?query=slapo-ppolicy