In revision 1.58 I updated the operational attribute schema to match
draft 9 of the password policy specification; it makes a number of
attributes non-user-modifiable, including pwdAccountLockedTime. We may
have to back out a couple more of these changes if there is no internal
mechanism to alter these attributes. I'll raise this question on the
ldapext mailing list and see what answers we get.
Shawn McKinney wrote:
To reset a user's LDAP account that has been locked
due maxFailure bind failures, my client program
performs the following steps:
On the user entry that is locked:
set userPassword = to a new password value
set pwdReset = TRUE
delete pwdLockedTime operational attribute
Testing w/ version 1.56 ppolicy module the above steps
work flawlessly. The user must change password on
subsequent bind per PW policy setting.
But when I upgrade to latest version of ppolicy
module, 1.60, I get constraint violation when I
attempt removal of user's pwdLockedTime attribute.
My question is, for situations when the user account
is locked, how do we reset the user account
programatically? I have found leaving the pwdReset
flag alone will not unlock the user's account.
Thanks,
Shawn
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/