[Date Prev][Date Next] [Chronological] [Thread] [Top]

account locking strategy

To: openldap-software@openldap.org
Subject: account locking strategy
From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
Date: Tue, 04 Dec 2007 10:27:11 +0100
User-agent: Thunderbird 2.0.0.9 (X11/20071128)

Hello list.

I have to handle account locking on our directory, so as to keep accounts from people not working here anymore. On Buchan's suggestion, I used ppolicy sofar, with pwdAccountLockedTime attribute set to 000001010000Z to lock unused account. This is really handy to handle unix account and web applications account at once. However, they are also some drawbacks:

- this is an operational account, thus a bit difficult to retrieve/edit (additional search options needed) - its locking value seems to be quite cryptic (but I maybe missed the semantic description somewhere) - it seems to be a binary field only (locked/unlocked), by opposition to shadowMax which allows to set an expiration date in advance. Even a purely cosmetic contract expiration date would be helpful here, but i didn't found anything similar in standard schemas - it doesn't handle easily use case where you just need to extract valid account list (such as scan-to-emails features from copiers), excepted by filtering on this attribute value, which isn't always possible (broken copiers firmware, for instance)

Last issue could be workarounded by filtering on ldap side using dynamic group I think.

So, does anyone have suggestion on how to handle this better ?
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62

Follow-Ups:
- Re: account locking strategy
  - From: Tony Earnshaw <tonni@hetnet.nl>

Prev by Date: multiple password policies?
Next by Date: [Unofficial] OpenLDAP Weekly News Issue 6
Index(es):
- Chronological
- Thread