2015-04-19 11:09 GMT+02:00 Dario Zanzico <[email protected]>: > On Thu, Apr 16, 2015, at 06:38 AM, rockwang wrote: >> Hi, all >> >> I set policy for user as following >> # default, policies, abc.com >> dn: cn=default,ou=policies,dc=abc,dc=com >> objectClass: top >> objectClass: device >> objectClass: pwdPolicy >> cn: default >> pwdAttribute: userPassword >> pwdMaxAge: 7776002 >> pwdExpireWarning: 432000 >> pwdInHistory: 3 >> pwdCheckQuality: 1 >> pwdMinLength: 8 >> pwdMaxFailure: 5 >> pwdLockout: TRUE >> pwdLockoutDuration: 900 >> pwdGraceAuthNLimit: 0 >> pwdFailureCountInterval: 0 >> pwdMustChange: TRUE >> pwdAllowUserChange: TRUE >> pwdSafeModify: FALSE >> >> my question is how to check user lock status. > > with this policy an entry will have its password expired (will be denied > BIND with a invalid credential message) when > # > account.pwdLastChange + policy.pwdMaxAge > $currentTimestamp > # >
This is about password expiration, not password lock status. To check lock, read pwdAccountLockedTime attribute. If it is present, the password is locked. Clément.
