On Sat, Nov 21, 2015 at 7:50 PM, Jim Willeke <j...@willeke.com> wrote:
> Does ApacheDS support the pwdEndTime from > https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 ? > it does > > This attribute specifies the time the entry's password becomes invalid for > authentication. Authentication attempts made after this time will fail, > regardless of expiration or grace settings. If this attribute does not > exist, then this restriction does not apply. > Note: that pwdStartTime may be set to a time greater than or equal to > pwdEndTime; this simply disables the password. > > Appears this is the "drafts" method for administrative disablement of the > account. > > yep, this is another way to disable, but again no user modification allowed on this attribute as well, other than by the default admin account > -- > -jim > Jim Willeke > > On Sat, Nov 21, 2015 at 1:25 AM, Kiran Ayyagari <kayyag...@apache.org> > wrote: > > > On Sat, Nov 21, 2015 at 4:54 AM, Hal Deadman <hal.dead...@gmail.com> > > wrote: > > > > > I am trying to lock a user by a setting the pwdAccountLockedTime > > > to 000001010000Z but I only seem to be able to do that as admin, not as > > > another user with an ACI granting them all rights to all user > > attributes. I > > > realize pwdAccountLockedTime is an operational attribute so that makes > > > sense. > > > > > > Two questions: > > > > > > Is there a way for an aci to grant rights to specific users to update > > > operational attributes? > > > > > > even if there is such an ACI, server is strict on not allowing other > > users > > other than > > the default admin user (uid=admin,ou=system) > > This is currently a limitation of the server > > (DefaultCoreSession.isAdministrator() returns > > true for the default admin account instead of checking for group > > membership) > > > > Is there a better way to lock out a user (e.g. someone who incorrectly > > > answers forgot password security questions too many times) other than > > > binding with an incorrect password until they are locked out by the > > > password policy? > > > > > > no, cause the current policy implementation works purely based on the > > combination > > of defined config parameters > > > > otoh, it is upto the application to do such job, LDAP server knows > nothing > > about security > > questions and answers. > > > > > > > Thanks, Hal > > > > > > > > > > > -- > > Kiran Ayyagari > > http://keydap.com > > > -- Kiran Ayyagari http://keydap.com
