On Mon, Feb 14, 2011 at 02:23:30PM -0800, Howard Chu wrote:
Jan Kohnert wrote:
So there comes the next question: Is there a way to lock out specific users permanently (other than creating a cronjob setting the lockout time new after 900s) or do I need to set pwdLockoutDuration to inf and so are forced to manually reset users whose accounts were tried to be cracked?
Read the slapo-ppolicy manpage again. This is explicitly documented.
I assume that you are talking about setting pwdAccountLockedTime to 000001010000Z which is what I have generally done in these situations.
I think the man page could be improved here. For one thing, pwdAccountLockedTime is listed as an operational attribute: this is quite correct, but most such attributes cannot be set by user or admin action. The wording does not explicitly say that the attribute can be set, and indeed the schema fragment in the manpage includes NO-USER-MODIFICATION which implies that it *cannot* be set. In fact the schema used by the server does not include that flag so this is a doc error.
It is also worth noting that there are issues relating to replication when using this attribute.
I will open an ITS and suggest new wording.
Andrew