[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ppolicy does not seem to work

On Mon, Feb 14, 2011 at 02:23:30PM -0800, Howard Chu wrote:

> Jan Kohnert wrote:
> >So there comes the next question: Is there a way to lock out specific users
> >permanently (other than creating a cronjob setting the lockout time new after
> >900s) or do I need to set pwdLockoutDuration to inf and so are forced to
> >manually reset users whose accounts were tried to be cracked?
> >
> Read the slapo-ppolicy manpage again. This is explicitly documented.

I assume that you are talking about setting pwdAccountLockedTime to
000001010000Z which is what I have generally done in these situations.

I think the man page could be improved here. For one thing,
pwdAccountLockedTime is listed as an operational attribute: this is quite
correct, but most such attributes cannot be set by user or admin action.
The wording does not explicitly say that the attribute can be set, and
indeed the schema fragment in the manpage includes NO-USER-MODIFICATION
which implies that it *cannot* be set. In fact the schema used by the
server does not include that flag so this is a doc error.

It is also worth noting that there are issues relating to replication
when using this attribute.

I will open an ITS and suggest new wording.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |