Hi Everybody, https://stackoverflow.com/posts/76341444/timeline
Sorry, we are figghting with pwdAccountLockedTime.
I want to use "pwdAccountLockedTime" attribute to automatically lock an account using OpenLDAP (v.2.5.14). Whatever the value in the field, the account is never locked.
I first started by activating the "ppolicy" module using slapadd and a ppolicy-module.ldif file suh as mentioned here "https://stackoverflow.com/questions/49257247/how-to-activate-ppolicy-module-...", then I have checked that the module is loaded and I did not have any problem:
|$ sudo slapcat -n 0 | grep olcModuleLoad | grep ppolicy olcModuleLoad: {0}ppolicy |
Then, I have extended the LDAP scheme to allow using of ppolicy attributes such as "pwdAccountLockedTime". I have set it to "00000101000000Z" in order to lock permanently an account (to check if it was working). But I still can connect (using LDAP Admin tools) with the account that was supposed to be locked.
We also tried to modify the value
dn: uid=... replace: pwdAccountLockedTime pwdAccountLockedTime: 20221021135537Z
And even with dates in the future, but we are still able to connect. With whoami command, or from a SOGo webmail connected to the LDAP server.
Any idea? Thank in advance for your help.
Best Damien
Le 11/07/2023 à 11:41, CVZ a écrit :
Hi Everybody, https://stackoverflow.com/posts/76341444/timeline
Sorry, we are figghting with pwdAccountLockedTime.
I want to use "pwdAccountLockedTime" attribute to automatically lock an account using OpenLDAP (v.2.5.14). Whatever the value in the field, the account is never locked.
I first started by activating the "ppolicy" module using slapadd and a ppolicy-module.ldif file suh as mentioned here "https://stackoverflow.com/questions/49257247/how-to-activate-ppolicy-module-...", then I have checked that the module is loaded and I did not have any problem:
|$ sudo slapcat -n 0 | grep olcModuleLoad | grep ppolicy olcModuleLoad: {0}ppolicy |
Then, I have extended the LDAP scheme to allow using of ppolicy attributes such as "pwdAccountLockedTime".
No need to do that, pwdAccountLockedTime is an operational attribute.
I have set it to "00000101000000Z" in order to lock permanently an account (to check if it was working). But I still can connect (using LDAP Admin tools) with the account that was supposed to be locked.
We also tried to modify the value
dn: uid=... replace: pwdAccountLockedTime pwdAccountLockedTime: 20221021135537Z
And even with dates in the future, but we are still able to connect. With whoami command, or from a SOGo webmail connected to the LDAP server.
Any idea? Thank in advance for your help.
Check that pwdLockout is set to TRUE in your ppolicy.
Hi,
Could you show us your ppolicy settings please ?
As far as I remember, you need at least pwdLockout set to TRUE in order to have the attribute pwdAccountLockedTime checked.
De : CVZ bremont@cvz.es À : openldap-technical@openldap.org Sujet : pwdAccountLockedTime does not have any impact Date : 11/07/2023 11:41:41 Europe/Paris
Hi Everybody, Sorry, we are figghting with pwdAccountLockedTime.
I want to use "pwdAccountLockedTime" attribute to automatically lock an account using OpenLDAP (v.2.5.14). Whatever the value in the field, the account is never locked.
I first started by activating the "ppolicy" module using slapadd and a ppolicy-module.ldif file suh as mentioned here "https://stackoverflow.com/questions/49257247/how-to-activate-ppolicy-module-...", then I have checked that the module is loaded and I did not have any problem: $ sudo slapcat -n 0 | grep olcModuleLoad | grep ppolicy olcModuleLoad: {0}ppolicy
Then, I have extended the LDAP scheme to allow using of ppolicy attributes such as "pwdAccountLockedTime". I have set it to "00000101000000Z" in order to lock permanently an account (to check if it was working). But I still can connect (using LDAP Admin tools) with the account that was supposed to be locked.
We also tried to modify the value
dn: uid=... replace: pwdAccountLockedTime pwdAccountLockedTime: 20221021135537Z
And even with dates in the future, but we are still able to connect. With whoami command, or from a SOGo webmail connected to the LDAP server.
Any idea? Thank in advance for your help.
Best Damien
openldap-technical@openldap.org
-
Clément OUDOT -
CVZ -
tempo@net-c.com