[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: how to check user lock status
- To: openldap-technical@openldap.org
- Subject: Re: how to check user lock status
- From: Dario Zanzico <dario@dariozanzico.com>
- Date: Sun, 19 Apr 2015 11:09:49 +0200
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=y1BmpWEspuDlJDD UWJSDUR+W+pU=; b=peuc6TFwDcgZs2/KDYGPry2Gd7OMGkmeJT6kN2VpLB+rV5N 10DO58KTMjzdXFQCJDVbLADnvixbFRcrBeDWW7QIbxOXvEGJbawWOv5WZsVDzzNA x7t2IT9koDkI90i9dRKSz+3J+RGlpg75nYyuYCX9vPaY4tHrwpkDY+n3wcLo=
- In-reply-to: <002801d077ff$3184ffb0$948eff10$@163.com>
- References: <002801d077ff$3184ffb0$948eff10$@163.com>
On Thu, Apr 16, 2015, at 06:38 AM, rockwang wrote:
> Hi, all
>
> I set policy for user as following
> # default, policies, abc.com
> dn: cn=default,ou=policies,dc=abc,dc=com
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> cn: default
> pwdAttribute: userPassword
> pwdMaxAge: 7776002
> pwdExpireWarning: 432000
> pwdInHistory: 3
> pwdCheckQuality: 1
> pwdMinLength: 8
> pwdMaxFailure: 5
> pwdLockout: TRUE
> pwdLockoutDuration: 900
> pwdGraceAuthNLimit: 0
> pwdFailureCountInterval: 0
> pwdMustChange: TRUE
> pwdAllowUserChange: TRUE
> pwdSafeModify: FALSE
>
> my question is how to check user lock status.
with this policy an entry will have its password expired (will be denied
BIND with a invalid credential message) when
#
account.pwdLastChange + policy.pwdMaxAge > $currentTimestamp
#
> Another question is
> pwdMustChange doesn't work in linux client when user first login.
both pwdMustChange (in the policy) and pwdReset (on the entry) must be
set if you want the client to force an entry
password to be reset before logging it in
> Rock.wang
dario zanzico