Re: ppolicy: unlock users who are locked out with pwdMaxFailure?

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Wednesday 05 March 2008 03:38:57 Zhang Weiwu wrote:
> Dear all
>
> By googling around I saw a lot of questions were asked for this, but
> either not answered or gets answered without practical how-to:
>
> http://archives.devshed.com/forums/networking-100/question-pertaining-to-pp
>olicy-overlay-feature-1334235.html
> http://www.mail-archive.com/openldap-software@openldap.org/msg08718.html
> http://www.openldap.org/lists/openldap-software/200509/msg00219.html
>
> Let's say, the admin user wishes to unlock an user, without changing his
> password or resetting his password, what should he do?
> should he deletes all pwdLockedTime for the locked user?
> should he deletes pwdAccountLockedTime for the locked user?

I actually just had to do this, as I locked myself out while testing, deleting 
pwdAccountLockedTime works on 2.3.40, though the schema definition for the 
attribute in the slapo-ppolicy man page seems to indicate it can't be 
modified while the one used in the ppolicy.c source indicates it can):

        {       "( 1.3.6.1.4.1.42.2.27.8.1.17 "
                "NAME ( 'pwdAccountLockedTime' ) "
                "DESC 'The time an user account was locked' "
                "EQUALITY generalizedTimeMatch "
                "ORDERING generalizedTimeOrderingMatch "
                "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
                "SINGLE-VALUE "
#if 0
                /* Not until MANAGEDIT control is released */
                "NO-USER-MODIFICATION "
#endif

Regards,
Buchan