[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5579) Interaction of ppolicy attributes

On Sat, Jun 28, 2008 at 07:21:44PM -0700, Howard Chu wrote:

> >pwdFailureTime cannot be modified directly, so I think there is a case for
> >clearing it when pwdAccountLockedTime is cleared explicitly.
> Technically, you're not supposed to be able to modify pwdAccountLockedTime 
> directly either. The current behavior is a temporary hack. The only 
> legitimate way to remove those attributes is by setting a new password. I'm 
> rejecting this ITS.

Indeed, though draft-behera-ldap-password-policy-xx.txt is a bit unclear
on the subject of that attribute:

5.3.3  pwdAccountLockedTime

   This attribute holds the time that the user's account was locked. A
   locked account means that the password may no longer be used to
   authenticate.  A 000001010000Z value means that the account has been
   locked permanently, and that only a password administrator can unlock
   the account.

One reading of that clause is that *setting* pwdAccountLockedTime to
000001010000Z is the way to lock an account by administrative action. 
There does not appear to be anything in the I-D that would cause the
server to set that value itself.  The current implementation does allow
admins to set the value, which appears to be the only way to
lock/unlock an account without changing the password.

I would certainly prefer to have separate attributes for 'admin lock'
and 'auto lock'.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |