>>> kevin martin <ktmdms@gmail.com> schrieb am 01.01.2022 um 00:00 in
Nachricht
<CACyJYa0rYAhJwbbc6Mp4NMV2g7Kj3W2Y1vqmu0jAbihdnc5zNg@mail.gmail.com>:
> Pwdaccountlockedtime isn't an attribute that can be set in the database
> since ppolicy is now compiled into openldap as opposed to it being a schema
> that's pulled in and that attribute is not defined in the source code.  I
> would say that, based on the man page, it's a bug.

In 2.4 I can query it from cn=schema,cn=config:
( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime' DESC 'The time an
user account was locked' EQUALITY generalizedTimeMatch ORDERING
generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE
USAGE directoryOperation )

>
> On Fri, Dec 31, 2021, 11:23 AM Michael Ströder <michael@stroeder.com>
wrote:
>
>> On 12/27/21 12:04, Ulrich Windl wrote:
>> >>>> kevin martin <ktmdms@gmail.com> schrieb am 22.12.2021 um 22:42 in
>> Nachricht
>> > <CACyJYa2V+d1Cv6TgK7PzWS36ij-aih6STL2jE2HZv0R-DwoRow@mail.gmail.com>:
>> >> it appears from looking at ppolicy.c that pwdAccountLockedTime is not
>> >> supported in openlda.  is there another way to lock a users account in
>> >> openldap outside of simply changing the users password?
>> >
>> > I found out the hard way: When all grace logins were consumed after
>> > the user should have changed the password, the user can no longer log
>> > in (and he/she cannot change the password either).
>> But that's not what the original poster asked for.
>>
>> See slapo-policy(5) [1]:
>>
>> "If pwdAccountLockedTime is set to 000001010000Z, the user's account has
>> been permanently locked and may only be unlocked  by an administrator."
>>
>> IIRC this works. If not, then it's a bug.
>>
>> In Æ-DIR I let admins maintain a status attribute 'aeStatus' which is
>> also evaluated by ACLs on userPassword to deactivate authentication
>> (auth privilege granted to anonymous only for active entries).
>>
>> Ciao, Michael.
>>
>> [1] https://www.openldap.org/software/man.cgi?query=slapo-ppolicy
>>