Pwdaccountlockedtime isn't an attribute that can be set in the database since ppolicy is now compiled into openldap as opposed to it being a schema that's pulled in and that attribute is not defined in the source code. I would say that, based on the man page, it's a bug.
On Fri, Dec 31, 2021, 11:23 AM Michael Ströder <[email protected]> wrote: > On 12/27/21 12:04, Ulrich Windl wrote: > >>>> kevin martin <[email protected]> schrieb am 22.12.2021 um 22:42 in > Nachricht > > <cacyjya2v+d1cv6tgk7pzws36ij-aih6stl2je2hzv0r-dwo...@mail.gmail.com>: > >> it appears from looking at ppolicy.c that pwdAccountLockedTime is not > >> supported in openlda. is there another way to lock a users account in > >> openldap outside of simply changing the users password? > > > > I found out the hard way: When all grace logins were consumed after > > the user should have changed the password, the user can no longer log > > in (and he/she cannot change the password either). > But that's not what the original poster asked for. > > See slapo-policy(5) [1]: > > "If pwdAccountLockedTime is set to 000001010000Z, the user's account has > been permanently locked and may only be unlocked by an administrator." > > IIRC this works. If not, then it's a bug. > > In Æ-DIR I let admins maintain a status attribute 'aeStatus' which is > also evaluated by ACLs on userPassword to deactivate authentication > (auth privilege granted to anonymous only for active entries). > > Ciao, Michael. > > [1] https://www.openldap.org/software/man.cgi?query=slapo-ppolicy >
