Le 16/06/2016 10:36, Radovan Semancik a écrit :
Thanks Clement,
I'm glad that you confirmed that. I was afraid that I'm overlooking something essential here.
On 06/15/2016 10:14 PM, Clément OUDOT wrote:
Well, if there is a default ppolicy configured, and yes you need to search it in cn=config, but it can also be a configuration parameter on your side. If there is not, the policy will be defined in pwdPolicySubentry, so you can directly request it.
Yes, theoretically I can have configuration parameter on my side. But practically that is asking for trouble during operation and maintenance. If the pointer to default password policy in OpenLDAP changes I'm quite sure nobody will think about updating the configuration of my application.
You also need to take into account the value 000001010000Z in pwdAccountLockedTime which means the password is locked forever.
Sure. I have seen that in the docs.
But we clearly lack of some operations that would allow to know the state of an account. This could be an interesting discussion if we work on a new ppolicy draft.
Well, that's a bit more complex. It is not just an operation to check the status. But there are also usecases to search such accounts. E.g. statistics how many accounts are locked, look for locked accounts if an password attack is suspected, etc.
Maybe a solution can be to rely on the pwdAccountLockedTime attribute presence and create a cronjob that will remove this attribute if the pwdLockoutDuration is over. Not very clean but seems a quick fix.