[Date Prev][Date Next] [Chronological] [Thread] [Top]

Checking that account is locked

To: openldap-technical@openldap.org
Subject: Checking that account is locked
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Wed, 15 Jun 2016 14:17:14 +0200
Dkim-filter: OpenDKIM Filter v2.9.0 hermes.evolveum.com 564F13629B1
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evolveum.com; s=46F1F96C-8266-11E5-BB5D-6C9186186C84; t=1465993329; bh=WRjTkocSKze7896p+RN7FREfHw1cTe8W4BLeqpvKKVk=; h=To:From:Subject:Message-ID:Date:MIME-Version:Content-Type: Content-Transfer-Encoding; b=s18+7RQe/Q7pANCH088TsTbW3k4zmNt82tE4KD6/Moprnt9ITjBHPeRj+Vq3CDvqP XBM+cOgljElz4ZBfxCIrcMF1wM2H1moFKeR922sA3ed7qDayC+s5C8YADpFOjj2UrX Rpxj96xrQElzeiUJHx1ioseoejGAJihLZvHfUkxY=
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0

Hi,

I was exploring account lockout functionality of password policyoverlay. I would like to know how to reliably check whether particularaccount is locked or not (e.g. for use by a helpdesk application).

It looks like from the documentation that this is not possible to do byjust examining the account LDAP entry. Is that right?

The locked account contains pwdAccountLockedTime that indicates the timewhen the account was locked. But I also need to determine whether thelock has not expired. For that I need the value of pwdLockoutDurationfrom the password policy. But how to determine what entry contains adefault password policy? For that I need access to cn=config, right? Soif my helpdesk application does not have access to the cn=config thenI'm pretty much out of luck.


Is my thinking OK or have I overlooked something?

--
Radovan Semancik
Software Architect
evolveum.com

Follow-Ups:
- Re: Checking that account is locked
  - From: Clément OUDOT <clem.oudot@gmail.com>

Prev by Date: Re: Assertion failed
Next by Date: Re: Odd MMR behaviour with delta-syncrepl and refreshAndPersist
Index(es):
- Chronological
- Thread