Re: how to check user lock status
On Thu, Apr 16, 2015, at 06:38 AM, rockwang wrote:
Hi, all
I set policy for user as following
# default, policies, abc.com
dn: cn=default,ou=policies,dc=abc,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
my question is how to check user lock status.
with this policy an entry will have its password expired (will be denied
BIND with a invalid credential message) when
#
account.pwdLastChange + policy.pwdMaxAge > $currentTimestamp
#
Another question is
pwdMustChange doesn't work in linux client when user first login.
both pwdMustChange (in the policy) and pwdReset (on the entry) must be
set if you want the client to force an entry
password to be reset before logging it in
Rock.wang
dario zanzico