[Date Prev][Date Next] [Chronological] [Thread] [Top]

Question about ppolicy usage

To: openldap-technical@openldap.org
Subject: Question about ppolicy usage
From: Mikael Bak <bak.mikael@oszk.hu>
Date: Mon, 1 Apr 2019 17:32:04 +0200
Autocrypt: addr=bak.mikael@oszk.hu; keydata= xsFNBFvIL5IBEADlPKBdbUGxkS6CA5FQTlNn3Q1ApjMItWOW/gTwEurqRuEAAm4KlJDNwf4i uvrmXud4caPkSswnRwDfhXBxic+2xUjX3muELC2h/ljDkAIFpGT+xK3vCFGkXt7x8f5/SBHh MyB/gKlMeDFyNiLauRVWOspZqNMuZgCZly+SxfH8TlwQ1ScaVkLjvU9aEvgCcdXUUo1nPiIc aP4/OcrMgOudiQP4eAbZ+SuoSEXVwloip9A7HnfrjBvxrWuTeVVuWNorUw3Psdj+yys+cok/ neluqZBVg6P2OWNd703CrMy9hj3s7peAA0Mhfa8TR+GxL50zy3EGu6iF2WZpuanDUDku4Pbd vXMRafPkpADBo8T3bwEAV03gGGSwSw5RWDb+zMApdJ8rmw/RQE2VBrJzhzyhMizVswsunWhP GiexlQPV/Pt4PgyUn76F7jAOUZy7XgVvXyd/Mb5s+ZLX5jCpBtK4bPtOiZTfHVnKh6BFaZJX mW9BYn4R48BCy7GfAErsZjudady98GiRdqAz32/i08Z8otxjyGbyJ+dsvVdeojVH5Z6/OeLX bZsS7PfNsmFEGYYmEaG74IV1ZgXiyLEqNcgp4KX8hMnA/NMSm4pSlUtig86SI/r1hns5I3Tl 1TcMtIVCnhBoty607xBq2PC8E+z9H73H9ywU0EWW6FnSNxZSSwARAQABzR9NaWthZWwgQmFr IDxiYWsubWlrYWVsQG9zemsuaHU+wsGUBBMBCgA+FiEECB5yN1JehrCpky5E4vRHTsaBWbMF AlvIL5ICGyMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ4vRHTsaBWbOxdg/5 ASzHMclL6iinYrlwvAznw92oAru51Z/cbjg/Bj05VjRWKIvfpwJp4BO5a5O3c0K5K3oXqYkJ OnI9Y/GWgTLj+VvWA+eBQS030TB0PD0oJimU3vSZpJvI3EmGXlVfE0fsxIGvDboZYF0GTLAI r91hLPfK+aeh1u2fRHPYlOZrBZ9lxbIv17s1PB3uZcgg2hWuRvRR+++E2i18nnSW6CU6MvQq V37aY1pLNOlkxnPdJUdHEzW1HH60s2lCjWjpfICZq5JHHauFqAX3lEz3ODU6IMuRdbBg/svY qGguIc1juoeBL4ssnjc+XP9gXGbMFP9nlBZb3l0HsifCaPetZTOPCLtQb5f2271S53HkyfcQ kWMHzKQ+UgP5gE5zRVGjesbJ5lg/QElzgsKjUov7Ld8ZeEdqFK1dAzbgp9xIsY5rZPO4fHRc M6f7sqOq8fhpwKLFlKrV/o5weIVYF01xymkJIKGsiuG7a3VazID4zkPwsyk64xDkObdEIzKD BoeuUjnA9iLmNrJLeLCBRq/EQU9lxE0ljpRMUM6KZ6BFP+ET9ZIijwbOEqXTPZICod5nR8y/ tleyUB6PvOMAfiDEakRTMeWuAhv8cR+QFRObV1W8YxNWMbps0ibPeGrBdPH+ScV0mHZlFQRx 0uvxlxdFZNbDfn7YJ0T2vMh2dc0u+l9eJuzOwU0EW8gvkgEQAN4DABB6aFtYBseIpjEkRCuW Xz7fJpUuVzES4e7+KkX5b9wlXqqM1JugN8ZgcTU4pfiycIAkMPfLIByqhSsSRY3hPbjMJfsX 04MAUuSzFQQLQQQCqjw5m7a4ZssvzYIVRsWY/BY9Q3wk9KQJMc+g3iO6AJyBgmP2DQFXH8zc bTo8KlCHUrlYxmQNHnDRDvaBGRNklrdchTgcyKM+dFycy6BkdSJqRK52yhMs3He6IFOPaVFu +u/h4ZPrXYhBI3gYIph474UNidgqt+4KnPh3EZ8u+D6Ul0DZkexx3/eDc1UTJbrQ023iGkUG Dc8bb8fwKflHimNaaxBw1muM7Z5ZEQF9L4qgoyTQwgTmaKlcjXr6pZBkxosKjrwqbOjhJB+6 vr4SQA5fn4IIlwjGEzJ8Kixpq0n0Mo9zILIbO9EVEe4wx/hU/bIqlGvKpDF8rs9o3u61a2qH TW3lGb94zXwhck+aiTEjz7GaMHO7TEYSi9dK8h3GWXRw4x1/lIyXlYw66fOGTUVxsEU5HAko cVG5vRDRDhBNRYBPzSOGC/rzVXUo160l2AIlLW+1T3mPMVR3P7ztEN7llJVoP/87OlXJG6Xt 1vs4+YmA5L84XKL6sQ4Yiy/s5cP33E0iGc+YfXYpysNyT9QVHSVS/HRLX5T683oPnyWJ/fWH PiF/8TnzxvcrABEBAAHCwXwEGAEKACYWIQQIHnI3Ul6GsKmTLkTi9EdOxoFZswUCW8gvkgIb DAUJCWYBgAAKCRDi9EdOxoFZsyVTEADZrQ3RMB1G//fxrWq1wFc7zag1vsEujSDG3Xy5pcUX SUqZzqRhcXi48SZo13fzoP2hiUaMhbwwlNcjL6C6OJ8GQsw9PvfowAu6E0sZo270buhRJsi5 O077HCPcilieA/+c1Fg8kvBkjt16957HjSn+TcPNMeN7ZygZ9kqybwm/pycyDIKknuJ1jlGq UCwzoKSYxdkHOHSW8q3ugzRe3XyzoQWhLkbIPgB35X7hMXXdX/3kPWvaW5EHQBbsKfjELJat NZwspbRNwx/wdLi6GwTCopZC4Q0qq5/K/IhImgUxPi0GmPtIRJ4yGbQImNMBToFMKrZ/mXMZ Z4ID+fXfamQ2dd5xEdwDZO7SxSB07jsy4KVnUFjDUf8mN820/d7SqcibIMZudZ5EBH4rjo4b zFwobtAuLjjget6xVC20I0DIo9KPLL8XzKpy3cOAExSOHSV3oAWYNDYgIHLAIIQxlWnbx+mU 5OOCNsmvsXVcAvbMwqc4fgtqqG1bbYCQg4hYcO3J2Km9OUoZnHOiphfcSOBoRMjrmbeNKbRv QphsW77a1/MeVAS71O0hba7rofnDu+kbrXAE2IjIdlFBQGcU2uFI89hdMmfGHWjoTFlgcsdz aBGbMxsJy2CVtuubtB9HuILQ32inGH4J58UiADUMiHN6leqNRFO1gAwdJytqSDJUJA==
Content-language: en-US
Openpgp: preference=signencrypt

Hi list,

I realize I'm trying to use the ppolicy overlay a little differently
from how it was designed to be used. The problem is that the ppolicy
overlay is the closest thing I have found.

My use case:

1) I want to be able to disable users. I can do this by setting:
pwdAccountLockedTime: 000001010000Z

That works. Great!

2) I want to be able to set a date in the future when a user account
will expire / deactivate.

I was hoping to be able to set "pwdAccountLockedTime" to a date in the
future and after that date the user account would be locked.

Unfortunately this isn't the case. ppolicy seems to lock out every
account that has the "pwdAccountLockedTime" attribute set to a valid value.

Reading the source code for ppolicy I find an interesting block in the
function "account_locked()" at line 356:

/* Still in the future? not yet in effect */
if (now < then)
 return 0;

This leads me to believe that the author's intension may have been to
allow what I want to do.

Perhaps is there another attribute I need to set in order to tweek
ppolicy to do wat I want. Here's how the default policy looks like:

dn: cn=passwordDefault,ou=Policies,ou=local
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordDefault
sn: passwordDefault
pwdAttribute: userPassword
pwdCheckQuality: 0
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 0
pwdInHistory: 0
pwdMaxFailure: 0
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: FALSE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE


All help greatly appreciated!
TIA,
Mikael

Follow-Ups:
- Re: Question about ppolicy usage
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: mdb_equality_candidates: (entryUUID) not indexed, with olcDbIndex=entryUUID pres, eq
Next by Date: Re: Question about ppolicy usage
Index(es):
- Chronological
- Thread