Re: Grace period for inactive accounts?

[Scott Classen <SClassen@lbl.gov>]

----- Original Message -----
From: Howard Chu <hyc@symas.com>
Date: Friday, March 14, 2008 2:55 am
Subject: Re: Grace period for inactive accounts?
To: Gavin Henry <ghenry@openldap.org>
Cc: openldap-software@openldap.org, John Maki <jmaki66@yahoo.com>

> Gavin Henry wrote:
> > John Maki wrote:
> >> Hi, I'm using Openldap 2.3.38 with the ppolicy overlay
> >> on a Fedora 7 x86-64 server.  Is there any
> >> functionality built in to provide account locking
> >> after a certain length of time after a password
> >> expires?  Similiar to pwdGraceAuthnLimit but based on
> >> time rather than number of login attempts?  I'd like
> >> to be able to lock accounts after a period of
> >> inactivity.  Or am I missing some other way of doing
> >> this?
> >>
> >
> > There's nothing I can see or know about. Anyone else?
> >
> Read the spec.

Seems to me that you just need to judiciously set up ppolicy.
set pwdMaxAge to the max time you want your users to be able to have an inactive account
then set pwdGraceAuthnLimit to 0

then if a user hasn't logged in within your set amount of time their account will be locked.

This is pretty harsh though. You could probably set pwdExpireWarning to some small value and set  pwdGraceAuthnLimit to 1 so they have once chance to log in with an expired passwd and change it.