[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: account locking strategy

To: Tony Earnshaw <tonni@hetnet.nl>
Subject: Re: account locking strategy
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Wed, 05 Dec 2007 08:43:20 +0200
Cc: openldap-software@openldap.org
In-reply-to: <47558A9E.7090304@hetnet.nl>
References: <47551D6F.8070108@inria.fr> <47558A9E.7090304@hetnet.nl>

On Tue, 2007-12-04 at 18:13 +0100, Tony Earnshaw wrote:
> Guillaume Rousse skrev, on 04-12-2007 10:27:
> 
> > I have to handle account locking on our directory, so as to keep 
> > accounts from people not working here anymore. On Buchan's suggestion, I 
> > used ppolicy sofar, with pwdAccountLockedTime attribute set to 
> > 000001010000Z to lock unused account. This is really handy to handle 
> > unix account and web applications account at once. However, they are 
> > also some drawbacks:
> 
> Dunno, this is probably all too child-like, but my site has an attribute 
> 'acountStatus' from qmail.schema. This is because my master provider is 
> also an MTA.
> 
> If it isn't set to "active", whoever it is  on the MTA can't do nothing 
> no more.

Not true, if it is set to nopop the user can still receive mail ...

However, this is another example of an application-level control
(objectclass shadowAccount is another example), which means you need to
jump through hoops to try and ensure all your applications use the same
attributes in the same way to have a consistent behaviour.

Thus, having a more conventient "lock this user", or "this entry - not
it's password - expires at this time" method on the directory side would
be convenient.

Regards,
Buchan

Follow-Ups:
- Re: account locking strategy
  - From: Tony Earnshaw <tonni@hetnet.nl>

References:
- account locking strategy
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
- Re: account locking strategy
  - From: Tony Earnshaw <tonni@hetnet.nl>

Prev by Date: Re: ACL with group???
Next by Date: sync replication fails
Index(es):
- Chronological
- Thread