[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5579) Interaction of ppolicy attributes

To: openldap-its@OpenLDAP.org
Subject: (ITS#5579) Interaction of ppolicy attributes
From: andrew.findlay@skills-1st.co.uk
Date: Thu, 26 Jun 2008 14:45:00 GMT

Full_Name: Andrew Findlay
Version: 2.4.10
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (88.97.25.132)


If an account becomes locked due to excessive failed authentications, its entry
will contain the attributes pwdFailureTime and pwdAccountLockedTime. If the
account is subsequently unlocked by setting a new password, all values of those
attributes are automatically removed. However, if the password is left alone and
the account is unlocked by removing pwdAccountLockedTime, values remain in
pwdFailureTime. This means that a single authentication failure will immediately
lock the account again.

pwdFailureTime cannot be modified directly, so I think there is a case for
clearing it when pwdAccountLockedTime is cleared explicitly.

Andrew

Prev by Date: Re: (ITS#5578) sortvals error
Next by Date: (ITS#5580) BER Decoding Remote DoS Vulnerability
Index(es):
- Chronological
- Thread