[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question pertaining to PPolicy overlay feature

Shawn McKinney wrote:
--- Howard Chu <hyc@symas.com> wrote:
The current revision in CVS HEAD makes the
pwdAccountLockedTime user modifiable again (undoing the draft-9 change for
now) and also deletes the attribute automatically when the password is

I've verified that version 1.62 behaves in the manner
described above.

But, I am not sure which way to proceed -

1. remove the pwdAccountLockedTime attribute w/ client
2. leave the attribute alone, let the ppolicy overlay
modify it.

Any recommendations? Right now both ways work.
Both ways are intended to work, because there are really two separate use cases. In one case, it should be possible to reset the locked status of an account without requiring the password to be changed at the same time. This would be a situation e.g. where a third party tried unsuccessfully to guess the user's password, causing the account to get locked. The user still knows the password, and the password's integrity has not been violated, so the user ought to be allowed to continue to use it. (There is of course a side issue of tracking down the third party and putting a stop to whatever they're doing, but that's a separate discussion...)

The other case is where the user forgot their own password and got the account locked while trying to recall the password. In that case, just resetting the password ought to be sufficient to restore the account to usefulness.

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/