[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5579) Interaction of ppolicy attributes
On Sat, Jun 28, 2008 at 07:21:44PM -0700, Howard Chu wrote:
> >pwdFailureTime cannot be modified directly, so I think there is a case for
> >clearing it when pwdAccountLockedTime is cleared explicitly.
>
> Technically, you're not supposed to be able to modify pwdAccountLockedTime
> directly either. The current behavior is a temporary hack. The only
> legitimate way to remove those attributes is by setting a new password. I'm
> rejecting this ITS.
Indeed, though draft-behera-ldap-password-policy-xx.txt is a bit unclear
on the subject of that attribute:
5.3.3 pwdAccountLockedTime
This attribute holds the time that the user's account was locked. A
locked account means that the password may no longer be used to
authenticate. A 000001010000Z value means that the account has been
locked permanently, and that only a password administrator can unlock
the account.
One reading of that clause is that *setting* pwdAccountLockedTime to
000001010000Z is the way to lock an account by administrative action.
There does not appear to be anything in the I-D that would cause the
server to set that value itself. The current implementation does allow
admins to set the value, which appears to be the only way to
lock/unlock an account without changing the password.
I would certainly prefer to have separate attributes for 'admin lock'
and 'auto lock'.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------