[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5579) Interaction of ppolicy attributes

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5579) Interaction of ppolicy attributes
From: hyc@symas.com
Date: Sun, 29 Jun 2008 02:22:01 GMT

andrew.findlay@skills-1st.co.uk wrote:
> Full_Name: Andrew Findlay
> Version: 2.4.10
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (88.97.25.132)
>
>
> If an account becomes locked due to excessive failed authentications, its entry
> will contain the attributes pwdFailureTime and pwdAccountLockedTime. If the
> account is subsequently unlocked by setting a new password, all values of those
> attributes are automatically removed. However, if the password is left alone and
> the account is unlocked by removing pwdAccountLockedTime, values remain in
> pwdFailureTime. This means that a single authentication failure will immediately
> lock the account again.
>
> pwdFailureTime cannot be modified directly, so I think there is a case for
> clearing it when pwdAccountLockedTime is cleared explicitly.

Technically, you're not supposed to be able to modify pwdAccountLockedTime 
directly either. The current behavior is a temporary hack. The only legitimate 
way to remove those attributes is by setting a new password. I'm rejecting 
this ITS.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#5540) Normalization assertion in attr.c
Next by Date: Re: (ITS#5540) Normalization assertion in attr.c
Index(es):
- Chronological
- Thread