Le 11/07/2023 à 11:41, CVZ a écrit :
Hi Everybody, <https://stackoverflow.com/posts/76341444/timeline>
Sorry, we are figghting with pwdAccountLockedTime.
I want to use "pwdAccountLockedTime" attribute to automatically lock
an account using OpenLDAP (v.2.5.14). Whatever the value in the field,
the account is never locked.
I first started by activating the "ppolicy" module using slapadd and a
ppolicy-module.ldif file suh as mentioned here
"https://stackoverflow.com/questions/49257247/how-to-activate-ppolicy-module-in-openldap";,
then I have checked that the module is loaded and I did not have any
problem:
|$ sudo slapcat -n 0 | grep olcModuleLoad | grep ppolicy
olcModuleLoad: {0}ppolicy |
Then, I have extended the LDAP scheme to allow using of ppolicy
attributes such as "pwdAccountLockedTime".
No need to do that, pwdAccountLockedTime is an operational attribute.
I have set it to "00000101000000Z" in order to lock permanently an
account (to check if it was working). But I still can connect (using
LDAP Admin tools) with the account that was supposed to be locked.
We also tried to modify the value
dn: uid=...
replace: pwdAccountLockedTime
pwdAccountLockedTime: 20221021135537Z
And even with dates in the future, but we are still able to connect.
With whoami command, or from a SOGo webmail connected to the LDAP server.
Any idea?
Thank in advance for your help.
Check that pwdLockout is set to TRUE in your ppolicy.
--
Clément Oudot | Identity Solutions Manager
clement.ou...@worteks.com
Worteks |https://www.worteks.com
