Hi,
Could you show us your ppolicy settings please ? As far as I remember, you need at least pwdLockout set to TRUE in order to have the attribute pwdAccountLockedTime checked. De : CVZ <[email protected]> À : [email protected] Sujet : pwdAccountLockedTime does not have any impact Date : 11/07/2023 11:41:41 Europe/Paris Hi Everybody, Sorry, we are figghting with pwdAccountLockedTime. I want to use "pwdAccountLockedTime" attribute to automatically lock an account using OpenLDAP (v.2.5.14). Whatever the value in the field, the account is never locked. I first started by activating the "ppolicy" module using slapadd and a ppolicy-module.ldif file suh as mentioned here "https://stackoverflow.com/questions/49257247/how-to-activate-ppolicy-module-in-openldap";, then I have checked that the module is loaded and I did not have any problem: $ sudo slapcat -n 0 | grep olcModuleLoad | grep ppolicy olcModuleLoad: {0}ppolicy Then, I have extended the LDAP scheme to allow using of ppolicy attributes such as "pwdAccountLockedTime". I have set it to "00000101000000Z" in order to lock permanently an account (to check if it was working). But I still can connect (using LDAP Admin tools) with the account that was supposed to be locked. We also tried to modify the value dn: uid=... replace: pwdAccountLockedTime pwdAccountLockedTime: 20221021135537Z And even with dates in the future, but we are still able to connect. With whoami command, or from a SOGo webmail connected to the LDAP server. Any idea? Thank in advance for your help. Best Damien
