[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question pertaining to PPolicy overlay feature

In revision 1.58 I updated the operational attribute schema to match draft 9 of the password policy specification; it makes a number of attributes non-user-modifiable, including pwdAccountLockedTime. We may have to back out a couple more of these changes if there is no internal mechanism to alter these attributes. I'll raise this question on the ldapext mailing list and see what answers we get.

Shawn McKinney wrote:
To reset a user's LDAP account that has been locked
due maxFailure bind failures, my client program
performs the following steps:

On the user entry that is locked:
set userPassword = to a new password value
set pwdReset = TRUE
delete pwdLockedTime operational attribute

Testing w/ version 1.56 ppolicy module the above steps
work flawlessly. The user must change password on
subsequent bind per PW policy setting.

But when I upgrade to latest version of ppolicy
module, 1.60, I get constraint violation when I
attempt removal of user's pwdLockedTime attribute.

My question is, for situations when the user account
is locked, how do we reset the user account
programatically?  I have found leaving the pwdReset
flag alone will not unlock the user's account.



 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/