>> kevin martin <ktmdms(a)gmail.com> schrieb am 01.01.2022
um 00:00 in
Pwdaccountlockedtime isn't an attribute that can be set in the
since ppolicy is now compiled into openldap as opposed to it being a schema
that's pulled in and that attribute is not defined in the source code. I
would say that, based on the man page, it's a bug.
In 2.4 I can query it from cn=schema,cn=config:
( 188.8.131.52.184.108.40.206.220.127.116.11 NAME 'pwdAccountLockedTime' DESC 'The time an
user account was locked' EQUALITY generalizedTimeMatch ORDERING
generalizedTimeOrderingMatch SYNTAX 18.104.22.168.4.1.1422.214.171.124.24 SINGLE-VALUE
USAGE directoryOperation )
On Fri, Dec 31, 2021, 11:23 AM Michael Ströder <michael(a)stroeder.com>
> On 12/27/21 12:04, Ulrich Windl wrote:
> >>>> kevin martin <ktmdms(a)gmail.com> schrieb am 22.12.2021 um 22:42
> > <CACyJYa2V+d1Cv6TgK7PzWS36ij-aih6STL2jE2HZv0R-DwoRow(a)mail.gmail.com>:
> >> it appears from looking at ppolicy.c that pwdAccountLockedTime is not
> >> supported in openlda. is there another way to lock a users account in
> >> openldap outside of simply changing the users password?
> > I found out the hard way: When all grace logins were consumed after
> > the user should have changed the password, the user can no longer log
> > in (and he/she cannot change the password either).
> But that's not what the original poster asked for.
> See slapo-policy(5) :
> "If pwdAccountLockedTime is set to 000001010000Z, the user's account has
> been permanently locked and may only be unlocked by an administrator."
> IIRC this works. If not, then it's a bug.
> In Æ-DIR I let admins maintain a status attribute 'aeStatus' which is
> also evaluated by ACLs on userPassword to deactivate authentication
> (auth privilege granted to anonymous only for active entries).
> Ciao, Michael.
>  https://www.openldap.org/software/man.cgi?query=slapo-ppolicy