2016-06-15 14:17 GMT+02:00 Radovan Semancik <radovan.semancik@evolveum.com>:

Hi,

I was exploring account lockout functionality of password policy overlay. I would like to know how to reliably check whether particular account is locked or not (e.g. for use by a helpdesk application).

It looks like from the documentation that this is not possible to do by just examining the account LDAP entry. Is that right?

The locked account contains pwdAccountLockedTime that indicates the time when the account was locked. But I also need to determine whether the lock has not expired. For that I need the value of pwdLockoutDuration from the password policy. But how to determine what entry contains a default password policy? For that I need access to cn=config, right? So if my helpdesk application does not have access to the cn=config then I'm pretty much out of luck.

Is my thinking OK or have I overlooked something?

Well, if there is a default ppolicy configured, and yes you need to search it in cn=config, but it can also be a configuration parameter on your side. If there is not, the policy will be defined in pwdPolicySubentry, so you can directly request it.

You also need to take into account the value 000001010000Z in pwdAccountLockedTime which means the password is locked forever.

But we clearly lack of some operations that would allow to know the state of an account. This could be an interesting discussion if we work on a new ppolicy draft.

Clément.