[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: [ldapext] Password Policy - locking accounts

To: "'John McMeeking'" <jmcmeek@us.ibm.com>, <ldapext@ietf.org>
Subject: RE: [ldapext] Password Policy - locking accounts
From: "Andrew Sciberras" <andrews@adacel.com.au>
Date: Fri, 5 Sep 2003 08:10:38 +1000
Importance: Normal
In-reply-to: <OFE2A1C19F.B65C5747-ON86256D97.0043ECB5-86256D97.0045751F@us.ibm.com>

Hi John!

>Is the notion of an administrator locking/unlocking (i.e.
>enable/disable
>for authentication) an entry within the scope of the password
>policy draft?
>This seems like a logical addition and a reasonable candidate
>for something
>to be done in a standard way.

The draft specifies an attribute called pwdAccountLockedTime which holds the
time at which the user's account was locked.
The draft states the following about the operational attribute (Section
4.3.3):

>A 0 value means that the account has been locked
>permanently, and that only an administrator can unlock the account.

Since 0 isn't a valid GeneralizedTime value, I assume it means 00000101000Z.
In any case, the administrator could simply set this attribute to the zero
value in an account, which would effectively provide an administrator with
the power to lock/unlock an entry.


>
>John  McMeeking
>

Andrew Sciberras


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- [ldapext] Password Policy - locking accounts
  - From: John McMeeking <jmcmeek@us.ibm.com>

Prev by Date: RE: [ldapext] Returning the Password Policy Control
Next by Date: RE: [ldapext] Returning the Password Policy Control
Index(es):
- Chronological
- Thread