[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Grace period for inactive accounts?

To: "John Maki" <jmaki66@yahoo.com>
Subject: Re: Grace period for inactive accounts?
From: "Gavin Henry" <ghenry@suretecsystems.com>
Date: Fri, 14 Mar 2008 22:28:22 -0000 (GMT)
Cc: Scott Classen <sclassen@lbl.gov>, openldap-software@openldap.org
Importance: Normal
In-reply-to: <56327.212.159.59.85.1205533086.squirrel@webmail.suretecsystems.com>
Openpgp: id=796B1E87DB73BEA8
References: <427558.57374.qm@web32608.mail.mud.yahoo.com> <47DA42A6.3050900@OpenLDAP.org> <47DA4AA1.9050903@symas.com> <f16f67e2151e.47da5268@lbl.gov> <56327.212.159.59.85.1205533086.squirrel@webmail.suretecsystems.com>
User-agent: SquirrelMail/1.4.13-1.fc8

>> Seems to me that you just need to judiciously set up ppolicy.
>> set pwdMaxAge to the max time you want your users to be able to have an
>> inactive account
>> then set pwdGraceAuthnLimit to 0
>
> This won't work unless he means "after a period of inactivity" to be
> actually changing their password.
>
> For example, if he wants to lock an account after 15 days of no logins,
> then if a user logs in on day 14, he would expect the lockout period to be
> reset. However, to reset it the user would have to change their password
> so pwdChangeTime updates.
>
> Or am I way off?
>

This of course could be forced by setting pwdMustChange

Then when the user logs in on the day 14, they must change it.

References:
- Grace period for inactive accounts?
  - From: John Maki <jmaki66@yahoo.com>
- Re: Grace period for inactive accounts?
  - From: Gavin Henry <ghenry@OpenLDAP.org>
- Re: Grace period for inactive accounts?
  - From: Howard Chu <hyc@symas.com>
- Re: Grace period for inactive accounts?
  - From: Scott Classen <SClassen@lbl.gov>
- Re: Grace period for inactive accounts?
  - From: "Gavin Henry" <ghenry@suretecsystems.com>

Prev by Date: Re: Grace period for inactive accounts?
Next by Date: Re: slurpd does not sync master and slave
Index(es):
- Chronological
- Thread