Re: Grace period for inactive accounts?

["Gavin Henry" <ghenry@suretecsystems.com>]

<quote who="Scott Classen">
> ----- Original Message -----
> From: Howard Chu <hyc@symas.com>
> Date: Friday, March 14, 2008 2:55 am
> Subject: Re: Grace period for inactive accounts?
> To: Gavin Henry <ghenry@openldap.org>
> Cc: openldap-software@openldap.org, John Maki <jmaki66@yahoo.com>
>
>> Gavin Henry wrote:
>> > John Maki wrote:
>> >> Hi, I'm using Openldap 2.3.38 with the ppolicy overlay
>> >> on a Fedora 7 x86-64 server.  Is there any
>> >> functionality built in to provide account locking
>> >> after a certain length of time after a password
>> >> expires?  Similiar to pwdGraceAuthnLimit but based on
>> >> time rather than number of login attempts?  I'd like
>> >> to be able to lock accounts after a period of
>> >> inactivity.  Or am I missing some other way of doing
>> >> this?
>> >>
>> >
>> > There's nothing I can see or know about. Anyone else?
>> >
>> Read the spec.
>
> Seems to me that you just need to judiciously set up ppolicy.
> set pwdMaxAge to the max time you want your users to be able to have an
> inactive account
> then set pwdGraceAuthnLimit to 0

This won't work unless he means "after a period of inactivity" to be
actually changing their password.

For example, if he wants to lock an account after 15 days of no logins,
then if a user logs in on day 14, he would expect the lockout period to be
reset. However, to reset it the user would have to change their password
so pwdChangeTime updates.

Or am I way off?

>
> then if a user hasn't logged in within your set amount of time their
> account will be locked.
>
> This is pretty harsh though. You could probably set pwdExpireWarning to
> some small value and set  pwdGraceAuthnLimit to 1 so they have once chance
> to log in with an expired passwd and change it.
>
>
>