On Sat, Nov 21, 2015 at 4:25 AM, Kiran Ayyagari <kayyag...@apache.org> wrote:
> On Sat, Nov 21, 2015 at 4:54 AM, Hal Deadman <hal.dead...@gmail.com> > wrote: > > > I am trying to lock a user by a setting the pwdAccountLockedTime > > to 000001010000Z but I only seem to be able to do that as admin, not as > > another user with an ACI granting them all rights to all user > attributes. I > > realize pwdAccountLockedTime is an operational attribute so that makes > > sense. > > > > Two questions: > > > > Is there a way for an aci to grant rights to specific users to update > > operational attributes? > > > even if there is such an ACI, server is strict on not allowing other users > other than > the default admin user (uid=admin,ou=system) > This is currently a limitation of the server > (DefaultCoreSession.isAdministrator() returns > true for the default admin account instead of checking for group > membership) > It sounds like the service our applications call to update the LDAP server will need to connect as the administrator. Not really a problem. > > Is there a better way to lock out a user (e.g. someone who incorrectly > > answers forgot password security questions too many times) other than > > binding with an incorrect password until they are locked out by the > > password policy? > > > no, cause the current policy implementation works purely based on the > combination > of defined config parameters > > otoh, it is upto the application to do such job, LDAP server knows nothing > about security > questions and answers. In AD there is account expiration (based on date) and an account disabled flag (in addition to the policy based lock flag and password expiration dates). I think there needs to be a way to temporarily disable a user by an administrator, for whatever reason an administrator decides (beyond policy). I guess I can use pwdAccountLockedTime. > > > Thanks, Hal > > > > > > -- > Kiran Ayyagari > http://keydap.com >