Hi, all
I set policy for user as following
# default, policies, abc.com
dn: cn=default,ou=policies,dc=abc,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
my question is how to check user lock status. Another question is pwdMustChange doesn't work in linux client when user first login.
Rock.wang
On Thu, Apr 16, 2015, at 06:38 AM, rockwang wrote:
Hi, all
I set policy for user as following# default, policies, abc.com dn: cn=default,ou=policies,dc=abc,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMaxAge: 7776002 pwdExpireWarning: 432000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 5 pwdLockout: TRUE pwdLockoutDuration: 900 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE
my question is how to check user lock status.
with this policy an entry will have its password expired (will be denied BIND with a invalid credential message) when # account.pwdLastChange + policy.pwdMaxAge > $currentTimestamp #
Another question is pwdMustChange doesn't work in linux client when user first login.
both pwdMustChange (in the policy) and pwdReset (on the entry) must be set if you want the client to force an entry password to be reset before logging it in
Rock.wang
dario zanzico
2015-04-19 11:09 GMT+02:00 Dario Zanzico dario@dariozanzico.com:
On Thu, Apr 16, 2015, at 06:38 AM, rockwang wrote:
Hi, all
I set policy for user as following# default, policies, abc.com dn: cn=default,ou=policies,dc=abc,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMaxAge: 7776002 pwdExpireWarning: 432000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 5 pwdLockout: TRUE pwdLockoutDuration: 900 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE
my question is how to check user lock status.
with this policy an entry will have its password expired (will be denied BIND with a invalid credential message) when # account.pwdLastChange + policy.pwdMaxAge > $currentTimestamp #
This is about password expiration, not password lock status. To check lock, read pwdAccountLockedTime attribute. If it is present, the password is locked.
Clément.
On Mon, Apr 20, 2015, at 09:27 AM, Clément OUDOT wrote:
2015-04-19 11:09 GMT+02:00 Dario Zanzico dario@dariozanzico.com:
[cut]
This is about password expiration, not password lock status. To check lock, read pwdAccountLockedTime attribute. If it is present, the password is locked.
you're right, i misunderstood OP message. but checking for the pwdAccountLockedTime presence is not enough, because the attribute is not automatically deleted after pwdLockoutDuration seconds. It's removed only if the entry binds succesfully after at least pwdLockoutDuration seconds after pwdAccountLockedTime. The test should then be:
user_locked = (entry.pwdAccountLockedTime + policy.pwdLockoutDuration) > $currentTimestamp
The attribute pwdAccountLockedTime can also be set to the special value 000001010000Z (administrative lockout). if we consider this case too, the test becomes:
user_locked = ( entry.pwdAccountLockedTime == 000001010000Z ) || ( (entry.pwdAccountLockedTime + policy.pwdLockoutDuration) > $currentTimestamp )
Clément.
dario
Hi,
For lock status of the user account you may check his pwdAccountLockedTime attribute
pwdMustChange value is overridden by pwdReset, may be the value of this attribute is set to FALSE when you've does your test ?
Cheers.
Le 16/04/2015 06:38, rockwang a écrit :
Hi, all
I set policy for user as following# default, policies, abc.com
dn: cn=default,ou=policies,dc=abc,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
my question is how to check user lock status. Another question is pwdMustChange doesn’t work in linux client when user first login.
Rock.wang
openldap-technical@openldap.org
-
Abdelhamid MEDDEB -
Clément OUDOT -
Dario Zanzico -
rockwang