it appears from looking at ppolicy.c that pwdAccountLockedTime is not supported in openlda. is there another way to lock a users account in openldap outside of simply changing the users password?
---
Regards,
Kevin Martin
kevin martin ktmdms@gmail.com schrieb am 22.12.2021 um 22:42 in Nachricht
CACyJYa2V+d1Cv6TgK7PzWS36ij-aih6STL2jE2HZv0R-DwoRow@mail.gmail.com:
it appears from looking at ppolicy.c that pwdAccountLockedTime is not supported in openlda. is there another way to lock a users account in openldap outside of simply changing the users password?
I found out the hard way: When all grace logins were consumed after the user should have changed the password, the user can no longer log in (and he/she cannot change the password either).
Regards,
Kevin Martin
On 12/27/21 12:04, Ulrich Windl wrote:
kevin martin ktmdms@gmail.com schrieb am 22.12.2021 um 22:42 in Nachricht
CACyJYa2V+d1Cv6TgK7PzWS36ij-aih6STL2jE2HZv0R-DwoRow@mail.gmail.com:
it appears from looking at ppolicy.c that pwdAccountLockedTime is not supported in openlda. is there another way to lock a users account in openldap outside of simply changing the users password?
I found out the hard way: When all grace logins were consumed after the user should have changed the password, the user can no longer log in (and he/she cannot change the password either).
But that's not what the original poster asked for.
See slapo-policy(5) [1]:
"If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator."
IIRC this works. If not, then it's a bug.
In Æ-DIR I let admins maintain a status attribute 'aeStatus' which is also evaluated by ACLs on userPassword to deactivate authentication (auth privilege granted to anonymous only for active entries).
Ciao, Michael.
[1] https://www.openldap.org/software/man.cgi?query=slapo-ppolicy
Pwdaccountlockedtime isn't an attribute that can be set in the database since ppolicy is now compiled into openldap as opposed to it being a schema that's pulled in and that attribute is not defined in the source code. I would say that, based on the man page, it's a bug.
On Fri, Dec 31, 2021, 11:23 AM Michael Ströder michael@stroeder.com wrote:
On 12/27/21 12:04, Ulrich Windl wrote:
kevin martin ktmdms@gmail.com schrieb am 22.12.2021 um 22:42 in
Nachricht
CACyJYa2V+d1Cv6TgK7PzWS36ij-aih6STL2jE2HZv0R-DwoRow@mail.gmail.com:
it appears from looking at ppolicy.c that pwdAccountLockedTime is not supported in openlda. is there another way to lock a users account in openldap outside of simply changing the users password?
I found out the hard way: When all grace logins were consumed after the user should have changed the password, the user can no longer log in (and he/she cannot change the password either).
But that's not what the original poster asked for.
See slapo-policy(5) [1]:
"If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator."
IIRC this works. If not, then it's a bug.
In Æ-DIR I let admins maintain a status attribute 'aeStatus' which is also evaluated by ACLs on userPassword to deactivate authentication (auth privilege granted to anonymous only for active entries).
Ciao, Michael.
[1] https://www.openldap.org/software/man.cgi?query=slapo-ppolicy
On 1/1/22 00:00, kevin martin wrote:
Pwdaccountlockedtime isn't an attribute that can be set in the database since ppolicy is now compiled into openldap as opposed to it being a schema that's pulled in and that attribute is not defined in the source code. I would say that, based on the man page, it's a bug.
No bug here. It works as expected. I've tested this with 2.6.0.
Indeed the schema is now hard-coded in servers/slapd/overlays/ppolicy.c but 'pwdAccountLockedTime' can be used in exactly the same way like before.
Ciao, Michael.
kevin martin ktmdms@gmail.com schrieb am 01.01.2022 um 00:00 in
Nachricht CACyJYa0rYAhJwbbc6Mp4NMV2g7Kj3W2Y1vqmu0jAbihdnc5zNg@mail.gmail.com:
Pwdaccountlockedtime isn't an attribute that can be set in the database since ppolicy is now compiled into openldap as opposed to it being a schema that's pulled in and that attribute is not defined in the source code. I would say that, based on the man page, it's a bug.
In 2.4 I can query it from cn=schema,cn=config: ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime' DESC 'The time an user account was locked' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE USAGE directoryOperation )
On Fri, Dec 31, 2021, 11:23 AM Michael Ströder michael@stroeder.com
wrote:
On 12/27/21 12:04, Ulrich Windl wrote:
kevin martin ktmdms@gmail.com schrieb am 22.12.2021 um 22:42 in
Nachricht
CACyJYa2V+d1Cv6TgK7PzWS36ij-aih6STL2jE2HZv0R-DwoRow@mail.gmail.com:
it appears from looking at ppolicy.c that pwdAccountLockedTime is not supported in openlda. is there another way to lock a users account in openldap outside of simply changing the users password?
I found out the hard way: When all grace logins were consumed after the user should have changed the password, the user can no longer log in (and he/she cannot change the password either).
But that's not what the original poster asked for.
See slapo-policy(5) [1]:
"If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator."
IIRC this works. If not, then it's a bug.
In Æ-DIR I let admins maintain a status attribute 'aeStatus' which is also evaluated by ACLs on userPassword to deactivate authentication (auth privilege granted to anonymous only for active entries).
Ciao, Michael.
[1] https://www.openldap.org/software/man.cgi?query=slapo-ppolicy
In 2.4 I was still pulling in the schema. In 2.5 ppolicy is compiled as part of the code. Assuming it just works, how does one go about setting pwdAccountLockedTime for a user then? I can't add it as an attribute of the user so I'm not sure how it can be set.
On Mon, Jan 3, 2022, 3:21 AM Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
kevin martin ktmdms@gmail.com schrieb am 01.01.2022 um 00:00 in
Nachricht CACyJYa0rYAhJwbbc6Mp4NMV2g7Kj3W2Y1vqmu0jAbihdnc5zNg@mail.gmail.com:
Pwdaccountlockedtime isn't an attribute that can be set in the database since ppolicy is now compiled into openldap as opposed to it being a
schema
that's pulled in and that attribute is not defined in the source code. I would say that, based on the man page, it's a bug.
In 2.4 I can query it from cn=schema,cn=config: ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime' DESC 'The time an user account was locked' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE USAGE directoryOperation )
On Fri, Dec 31, 2021, 11:23 AM Michael Ströder michael@stroeder.com
wrote:
On 12/27/21 12:04, Ulrich Windl wrote:
> kevin martin ktmdms@gmail.com schrieb am 22.12.2021 um 22:42 in
Nachricht
CACyJYa2V+d1Cv6TgK7PzWS36ij-aih6STL2jE2HZv0R-DwoRow@mail.gmail.com:
it appears from looking at ppolicy.c that pwdAccountLockedTime is not supported in openlda. is there another way to lock a users account
in
openldap outside of simply changing the users password?
I found out the hard way: When all grace logins were consumed after the user should have changed the password, the user can no longer log in (and he/she cannot change the password either).
But that's not what the original poster asked for.
See slapo-policy(5) [1]:
"If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator."
IIRC this works. If not, then it's a bug.
In Æ-DIR I let admins maintain a status attribute 'aeStatus' which is also evaluated by ACLs on userPassword to deactivate authentication (auth privilege granted to anonymous only for active entries).
Ciao, Michael.
[1] https://www.openldap.org/software/man.cgi?query=slapo-ppolicy
--On Monday, January 3, 2022 9:39 AM -0600 kevin martin ktmdms@gmail.com wrote:
In 2.4 I was still pulling in the schema. In 2.5 ppolicy is compiled as part of the code. Assuming it just works, how does one go about setting pwdAccountLockedTime for a user then? I can't add it as an attribute of the user so I'm not sure how it can be set.
If it has been moduleloaded into the slapd process, the ppolicy schema is known to slapd and available for use. If you are finding the attribute to not be defined it would suggest you've failed to load the module as required. I would note that you want to ensure you're running 2.5.8 or later (See ITS#9671).
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 1/3/22 16:39, kevin martin wrote:
Assuming it just works, how does one go about setting pwdAccountLockedTime for a user then? I can't add it as an attribute of the user so I'm not sure how it can be set.
If 'pwdAccountLockedTime' is not present in your subschema subentry then slapo-ppolicy module is not correctly loaded.
Ciao, Michael.
On 12/27/21 3:04 AM, Ulrich Windl wrote:
I found out the hard way: When all grace logins were consumed after the user should have changed the password, the user can no longer log in (and he/she cannot change the password either).
Future people reading this list may benefit from knowing that this is spelled out in the "Password Policy for LDAP Directories" reference in the man page: https://tools.ietf.org/id/draft-behera-ldap-password-policy-10.html. See section 4.2.1.
You are welcome, future people.
Chris Paul | Rex Consulting | https://www.rexconsulting.net
openldap-technical@openldap.org