Hi,
I was exploring account lockout functionality of password policy overlay. I would like to know how to reliably check whether particular account is locked or not (e.g. for use by a helpdesk application).
It looks like from the documentation that this is not possible to do by just examining the account LDAP entry. Is that right?
The locked account contains pwdAccountLockedTime that indicates the time when the account was locked. But I also need to determine whether the lock has not expired. For that I need the value of pwdLockoutDuration from the password policy. But how to determine what entry contains a default password policy? For that I need access to cn=config, right? So if my helpdesk application does not have access to the cn=config then I'm pretty much out of luck.
Is my thinking OK or have I overlooked something?