[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: how to check user lock status

To: Clément OUDOT <clem.oudot@gmail.com>
Subject: Re: how to check user lock status
From: Dario Zanzico <dario@dariozanzico.com>
Date: Mon, 20 Apr 2015 11:12:38 +0200
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=WBKXkfc4Z9scmxs 3wk93GaiqG64=; b=nxm4Shx/OqU7/dCFovUj3t3xG/jBdTKEPSplX4zri/en/5u cT2oLWcd/aOAlO3x9nCR6/phnvEO3g0+S1Bf5rh9DpvHuJ/FjQhKhLOFn2SBrcd1 5LrW94k0hRc5QarVU81jlNWU0AUZUMqynU2qkwNAhcQcObJLGKzmFma8pxsY=
In-reply-to: <CAK_oV4-_gKks-MWw13ScRUnhQCUdDNMWgPNr24KvtyM24sZn7g@mail.gmail.com>
References: <002801d077ff$3184ffb0$948eff10$@163.com> <1429434589.2739638.255641701.03830E32@webmail.messagingengine.com> <CAK_oV4-_gKks-MWw13ScRUnhQCUdDNMWgPNr24KvtyM24sZn7g@mail.gmail.com>

On Mon, Apr 20, 2015, at 09:27 AM, Clément OUDOT wrote:
> 2015-04-19 11:09 GMT+02:00 Dario Zanzico <dario@dariozanzico.com>:

[cut]

> This is about password expiration, not password lock status. To check
> lock, read pwdAccountLockedTime attribute. If it is present, the
> password is locked.

you're right, i misunderstood OP message.
but checking for the pwdAccountLockedTime presence is not enough,
because the attribute is not automatically deleted after
pwdLockoutDuration seconds. It's removed only if the entry binds
succesfully after at least pwdLockoutDuration seconds after
pwdAccountLockedTime.
The test should then be:

user_locked = (entry.pwdAccountLockedTime + policy.pwdLockoutDuration) >
$currentTimestamp

The attribute pwdAccountLockedTime can also be set to the special value
000001010000Z (administrative lockout). if we consider this case too,
the test becomes:

user_locked = ( entry.pwdAccountLockedTime == 000001010000Z ) || (
(entry.pwdAccountLockedTime + policy.pwdLockoutDuration) >
$currentTimestamp )

> Clément.

dario

References:
- how to check user lock status
  - From: "rockwang" <studyfordo@163.com>
- Re: how to check user lock status
  - From: Dario Zanzico <dario@dariozanzico.com>
- Re: how to check user lock status
  - From: Clément OUDOT <clem.oudot@gmail.com>

Prev by Date: Re: how to check user lock status
Next by Date: Re: All entries belong to the top object class?
Index(es):
- Chronological
- Thread