On Fri, Jun 28, 2013 at 7:13 PM, Emmanuel Lécharny <[email protected]>wrote:
> Le 6/28/13 3:24 PM, Slavomir Kocka a écrit : > > Thanks for response... > > > > Yes, I read it, it was mentioned there above... > > > > However, it didn't work for me well. > > Originally I had: > > > > ads-pwdLockout: TRUE > > ads-pwdLockoutDuration: 0 > > > > Which is default. When some users locked-out themselves, I stopped > servers, set ads-pwdLockoutDuration = 5, and started servers (just to avoid > brute force login attempts) > > However accounts, which were locked during TRUE/0 configuration, didn't > unlock... > > this value cannot be applied on an already locked account (here they were locked permanently due to the config value of 0, see below mentioned draft) > 0 in this context means infinite. The thing is that once the users who > were locked with 0 (ie infinite) will remain locked forever, no matter > what (unless the admin unlock them) > > > that is correct > > Does duration apply only to newly locked accounts, or is it some bug? > > I don't think there is a bug. Although I think that having 0 as a > default value is not necessarily the smartests idea we have had... > > this is the standard value as per the draft [1] [1] http://tools.ietf.org/id/draft-behera-ldap-password-policy-10.txt > Kiran, do you have something more to add ? > > -- > Regards, > Cordialement, > Emmanuel Lécharny > www.iktek.com > > -- Kiran Ayyagari http://keydap.com
