For  lock status of the user account you may check his pwdAccountLockedTime attribute

pwdMustChange value is overridden by pwdReset, may be the value of this attribute is set to FALSE when you've does your test ?


Le 16/04/2015 06:38, rockwang a écrit :

Hi, all

     I set  policy for user as following


# default, policies, abc.com

dn: cn=default,ou=policies,dc=abc,dc=com

objectClass: top

objectClass: device

objectClass: pwdPolicy

cn: default

pwdAttribute: userPassword

pwdMaxAge: 7776002

pwdExpireWarning: 432000

pwdInHistory: 3

pwdCheckQuality: 1

pwdMinLength: 8

pwdMaxFailure: 5

pwdLockout: TRUE

pwdLockoutDuration: 900

pwdGraceAuthNLimit: 0

pwdFailureCountInterval: 0

pwdMustChange: TRUE

pwdAllowUserChange: TRUE

pwdSafeModify: FALSE


my question is how to check user lock status. Another question is pwdMustChange doesn’t work in linux client when user first login.





*Abdelhamid MEDDEB*