Shawn McKinney wrote:
--- Howard Chu <[EMAIL PROTECTED]> wrote:
The current revision in CVS HEAD makes the
pwdAccountLockedTime user
modifiable again (undoing the draft-9 change for
now) and also deletes
the attribute automatically when the password is
changed.
I've verified that version 1.62 behaves in the manner
described above.
But, I am not sure which way to proceed -
1. remove the pwdAccountLockedTime attribute w/ client
or
2. leave the attribute alone, let the ppolicy overlay
modify it.
Any recommendations? Right now both ways work.
Both ways are intended to work, because there are really two separate
use cases. In one case, it should be possible to reset the locked status
of an account without requiring the password to be changed at the same
time. This would be a situation e.g. where a third party tried
unsuccessfully to guess the user's password, causing the account to get
locked. The user still knows the password, and the password's integrity
has not been violated, so the user ought to be allowed to continue to
use it. (There is of course a side issue of tracking down the third
party and putting a stop to whatever they're doing, but that's a
separate discussion...)
The other case is where the user forgot their own password and got the
account locked while trying to recall the password. In that case, just
resetting the password ought to be sufficient to restore the account to
usefulness.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
