[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Checking that account is locked

To: Clément OUDOT <clem.oudot@gmail.com>
Subject: Re: Checking that account is locked
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Thu, 16 Jun 2016 10:36:15 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-filter: OpenDKIM Filter v2.9.0 hermes.evolveum.com 5C185362A3B
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evolveum.com; s=46F1F96C-8266-11E5-BB5D-6C9186186C84; t=1466066472; bh=h8A0cc55I8siP3mlIa6zTTB8AhBchAc5v5uY9L+P0DY=; h=Subject:To:From:Message-ID:Date:MIME-Version:Content-Type: Content-Transfer-Encoding; b=49nWgKhvPUimqG5mUiZZQb5uP98wtCMXmnfB9UqlGRRgyREvtP6RHha+NKkQenoig 3hXsxsmPb/C08EbqgV8yQ621YPY4IwYxGWcOgkoHK9s7yBqXcmydpa9keuOLOjGAbv opOOWYUkjVJCMR3rTuc5VVjx4j4+/B/7I1KQQtLg=
In-reply-to: <CAK_oV48Ett7JmfntJp6rQvjPzm9kZki3hWcPvT=Q=B6uNAaHMA@mail.gmail.com>
References: <5761474A.1030103@evolveum.com> <CAK_oV48Ett7JmfntJp6rQvjPzm9kZki3hWcPvT=Q=B6uNAaHMA@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2

Thanks Clement,

I'm glad that you confirmed that. I was afraid that I'm overlookingsomething essential here.


On 06/15/2016 10:14 PM, Clément OUDOT wrote:

Well, if there is a default ppolicy configured, and yes you need tosearch it in cn=config, but it can also be a configuration parameteron your side. If there is not, the policy will be defined inpwdPolicySubentry, so you can directly request it.

Yes, theoretically I can have configuration parameter on my side. Butpractically that is asking for trouble during operation and maintenance.If the pointer to default password policy in OpenLDAP changes I'm quitesure nobody will think about updating the configuration of my application.

You also need to take into account the value 000001010000Z inpwdAccountLockedTime which means the password is locked forever.


Sure. I have seen that in the docs.

But we clearly lack of some operations that would allow to know thestate of an account. This could be an interesting discussion if wework on a new ppolicy draft.

Well, that's a bit more complex. It is not just an operation to checkthe status. But there are also usecases to search such accounts. E.g.statistics how many accounts are locked, look for locked accounts if anpassword attack is suspected, etc.


--
Radovan Semancik
Software Architect
evolveum.com

Follow-Ups:
- Re: Checking that account is locked
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>
- Re: Checking that account is locked
  - From: Michael Ströder <michael@stroeder.com>

References:
- Checking that account is locked
  - From: Radovan Semancik <radovan.semancik@evolveum.com>
- Re: Checking that account is locked
  - From: Clément OUDOT <clem.oudot@gmail.com>

Prev by Date: Re: Checking that account is locked
Next by Date: Re: Checking that account is locked
Index(es):
- Chronological
- Thread