[Date Prev][Date Next]
Checking that account is locked
- To: firstname.lastname@example.org
- Subject: Checking that account is locked
- From: Radovan Semancik <email@example.com>
- Date: Wed, 15 Jun 2016 14:17:14 +0200
- Dkim-filter: OpenDKIM Filter v2.9.0 hermes.evolveum.com 564F13629B1
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evolveum.com; s=46F1F96C-8266-11E5-BB5D-6C9186186C84; t=1465993329; bh=WRjTkocSKze7896p+RN7FREfHw1cTe8W4BLeqpvKKVk=; h=To:From:Subject:Message-ID:Date:MIME-Version:Content-Type: Content-Transfer-Encoding; b=s18+7RQe/Q7pANCH088TsTbW3k4zmNt82tE4KD6/Moprnt9ITjBHPeRj+Vq3CDvqP XBM+cOgljElz4ZBfxCIrcMF1wM2H1moFKeR922sA3ed7qDayC+s5C8YADpFOjj2UrX Rpxj96xrQElzeiUJHx1ioseoejGAJihLZvHfUkxY=
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
I was exploring account lockout functionality of password policy
overlay. I would like to know how to reliably check whether particular
account is locked or not (e.g. for use by a helpdesk application).
It looks like from the documentation that this is not possible to do by
just examining the account LDAP entry. Is that right?
The locked account contains pwdAccountLockedTime that indicates the time
when the account was locked. But I also need to determine whether the
lock has not expired. For that I need the value of pwdLockoutDuration
from the password policy. But how to determine what entry contains a
default password policy? For that I need access to cn=config, right? So
if my helpdesk application does not have access to the cn=config then
I'm pretty much out of luck.
Is my thinking OK or have I overlooked something?