[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5579) Interaction of ppolicy attributes

Andrew Findlay wrote:

> Indeed, though draft-behera-ldap-password-policy-xx.txt is a bit unclear
> on the subject of that attribute:
> 5.3.3  pwdAccountLockedTime

> The current implementation does allow
> admins to set the value, which appears to be the only way to
> lock/unlock an account without changing the password.

The current implementation allows pretty much anybody to set the attribute. 
It's intended that it can only be set when using the Relax Constraints control.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/