In 2.4 I was still pulling in the schema. In 2.5 ppolicy is compiled as part of the code. Assuming it just works, how does one go about setting pwdAccountLockedTime for a user then? I can't add it as an attribute of the user so I'm not sure how it can be set.
On Mon, Jan 3, 2022, 3:21 AM Ulrich Windl <[email protected]> wrote: > >>> kevin martin <[email protected]> schrieb am 01.01.2022 um 00:00 in > Nachricht > <cacyjya0ryahjwbbc6mp4nmv2g7kj3w2y1vqmu0jabihdnc5...@mail.gmail.com>: > > Pwdaccountlockedtime isn't an attribute that can be set in the database > > since ppolicy is now compiled into openldap as opposed to it being a > schema > > that's pulled in and that attribute is not defined in the source code. I > > would say that, based on the man page, it's a bug. > > In 2.4 I can query it from cn=schema,cn=config: > ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime' DESC 'The time an > user account was locked' EQUALITY generalizedTimeMatch ORDERING > generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 > SINGLE-VALUE > USAGE directoryOperation ) > > > > > On Fri, Dec 31, 2021, 11:23 AM Michael Ströder <[email protected]> > wrote: > > > >> On 12/27/21 12:04, Ulrich Windl wrote: > >> >>>> kevin martin <[email protected]> schrieb am 22.12.2021 um 22:42 in > >> Nachricht > >> > <cacyjya2v+d1cv6tgk7pzws36ij-aih6stl2je2hzv0r-dwo...@mail.gmail.com>: > >> >> it appears from looking at ppolicy.c that pwdAccountLockedTime is not > >> >> supported in openlda. is there another way to lock a users account > in > >> >> openldap outside of simply changing the users password? > >> > > >> > I found out the hard way: When all grace logins were consumed after > >> > the user should have changed the password, the user can no longer log > >> > in (and he/she cannot change the password either). > >> But that's not what the original poster asked for. > >> > >> See slapo-policy(5) [1]: > >> > >> "If pwdAccountLockedTime is set to 000001010000Z, the user's account has > >> been permanently locked and may only be unlocked by an administrator." > >> > >> IIRC this works. If not, then it's a bug. > >> > >> In Æ-DIR I let admins maintain a status attribute 'aeStatus' which is > >> also evaluated by ACLs on userPassword to deactivate authentication > >> (auth privilege granted to anonymous only for active entries). > >> > >> Ciao, Michael. > >> > >> [1] https://www.openldap.org/software/man.cgi?query=slapo-ppolicy > >> > > > >
