[Date Prev][Date Next] [Chronological] [Thread] [Top] (Account Usability Control) supported?


I'd like to know if the "Account Usability Control"
(oid= is supported by OpenLDAP.

I ran:

--($:~)-- ldapsearch -h winds06 -p 389 -b '' -s base '(objectClass=*)' supportedControl
# extended LDIF
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: supportedControl

supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

According to this, the required control isn't listed. Is
this just because of a misconfiguration of my OpenLDAP
2.3.35 server? Some other server implements that, but I'd
rather like to use OpenLDAP instead of this other server,
as OpenLDAP is available for more platforms.

One source of information I found is at
Because of the non-standard port of this server, I'm copying
the information:

    The account usability control provides a pair of
    request and response controls that can be used to
    determine whether a user account may be used for
    authenticating to the server.

    The request control has an OID of
    and does not include a value. It should only be
    included in search request messages.

    The corresponding response control has an OID of (the same as the request
    control), and it will be included in any search
    result entry messages for a search request that
    includes the account usability request control.

    The value for the account usability response control
    will be encoded as follows:

         is_available           [0] INTEGER, -- Seconds before expiration --
         is_not_available       [1] MORE_INFO }

         inactive               [0] BOOLEAN DEFAULT FALSE,
         reset                  [1] BOOLEAN DEFAULT FALSE,
         expired                [2] BOOLEAN DEFAULT_FALSE,
         remaining_grace        [3] INTEGER OPTIONAL,
         seconds_before_unlock  [4] INTEGER OPTIONAL }

    If the user account is available, then the control
    will include the number of seconds until the user's
    password expires, or -1 if password expiration is
    not enabled. If the user's account is not available,
    then the control will provide the reason it is

This control is required to get password less logins to work.

Thanks a lot,