>>> kevin martin <ktmdms(a)gmail.com&gt; schrieb am 22.12.2021 um 22:42 in Nachricht <CACyJYa2V+d1Cv6TgK7PzWS36ij-aih6STL2jE2HZv0R-DwoRow(a)mail.gmail.com&gt;: > it appears from looking at ppolicy.c that pwdAccountLockedTime is not > supported in openlda. is there another way to lock a users account in > openldap outside of simply changing the users password? I found out the hard way: When all grace logins were consumed after the user should have changed the password, the user can no longer log in (and he/she cannot change the password either).

Pwdaccountlockedtime isn't an attribute that can be set in the database since ppolicy is now compiled into openldap as opposed to it being a schema that's pulled in and that attribute is not defined in the source code.  I would say that, based on the man page, it's a bug.

>>> kevin martin <ktmdms(a)gmail.com&gt; schrieb am 01.01.2022 um 00:00 in Nachricht <CACyJYa0rYAhJwbbc6Mp4NMV2g7Kj3W2Y1vqmu0jAbihdnc5zNg(a)mail.gmail.com&gt;: > Pwdaccountlockedtime isn't an attribute that can be set in the database > since ppolicy is now compiled into openldap as opposed to it being a schema > that's pulled in and that attribute is not defined in the source code. I > would say that, based on the man page, it's a bug. In 2.4 I can query it from cn=schema,cn=config: ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime' DESC 'The time an user account was locked' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE USAGE directoryOperation ) > > On Fri, Dec 31, 2021, 11:23 AM Michael Ströder <michael(a)stroeder.com&gt; wrote: > >> On 12/27/21 12:04, Ulrich Windl wrote: >> >>>> kevin martin <ktmdms(a)gmail.com&gt; schrieb am 22.12.2021 um 22:42 in >> Nachricht >> > <CACyJYa2V+d1Cv6TgK7PzWS36ij-aih6STL2jE2HZv0R-DwoRow(a)mail.gmail.com&gt;: >> >> it appears from looking at ppolicy.c that pwdAccountLockedTime is not >> >> supported in openlda. is there another way to lock a users account in >> >> openldap outside of simply changing the users password? >> > >> > I found out the hard way: When all grace logins were consumed after >> > the user should have changed the password, the user can no longer log >> > in (and he/she cannot change the password either). >> But that's not what the original poster asked for. >> >> See slapo-policy(5) [1]: >> >> "If pwdAccountLockedTime is set to 000001010000Z, the user's account has >> been permanently locked and may only be unlocked by an administrator." >> >> IIRC this works. If not, then it's a bug. >> >> In Æ-DIR I let admins maintain a status attribute 'aeStatus' which is >> also evaluated by ACLs on userPassword to deactivate authentication >> (auth privilege granted to anonymous only for active entries). >> >> Ciao, Michael. >> >> [1] https://www.openldap.org/software/man.cgi?query=slapo-ppolicy >>

Assuming it just works, how does one go about setting pwdAccountLockedTime for a user then?  I can't add it as an attribute of the user so I'm not sure how it can be set.