On Thu, Apr 16, 2015, at 06:38 AM, rockwang wrote: > Hi, all > > I set policy for user as following > # default, policies, abc.com > dn: cn=default,ou=policies,dc=abc,dc=com > objectClass: top > objectClass: device > objectClass: pwdPolicy > cn: default > pwdAttribute: userPassword > pwdMaxAge: 7776002 > pwdExpireWarning: 432000 > pwdInHistory: 3 > pwdCheckQuality: 1 > pwdMinLength: 8 > pwdMaxFailure: 5 > pwdLockout: TRUE > pwdLockoutDuration: 900 > pwdGraceAuthNLimit: 0 > pwdFailureCountInterval: 0 > pwdMustChange: TRUE > pwdAllowUserChange: TRUE > pwdSafeModify: FALSE > > my question is how to check user lock status.
with this policy an entry will have its password expired (will be denied BIND with a invalid credential message) when # account.pwdLastChange + policy.pwdMaxAge > $currentTimestamp # > Another question is > pwdMustChange doesn't work in linux client when user first login. both pwdMustChange (in the policy) and pwdReset (on the entry) must be set if you want the client to force an entry password to be reset before logging it in > Rock.wang dario zanzico
