We've been using the old Sun Directory Server (DSEE7) for a long time and have
had things working in such a way that when a user on linux or windows locks the
account after so many failures, neither windows nor linux will allow them to
log in.
The way that was done was to modify the samba source code (in lib/smbldap.c) to
point the SambaKickoffTime variable to pwdaccountlockedtime from the LDAP
server. This worked.
We want to move to the 389 directory server and perform the same function, but
I'm having some issues. The pwdaccountlockedtime isn't there anymore. When the
account locks, I see that we have the accountunlocktime attribute being set.
Unfortunately, I can't use that field for samba since it's looking for unix
time in seconds. The default value of accountunlocktime is Jan 1 1970, so samba
thinks that this is some date in the year 600,000+.
So, are any of the following things possible? If so, how can I do it?
1) When an account locks out on the DS, automatically set the SambaKickoffTime
attribute in DS to the current time in seconds
2) Change the default value of accountunlocktime to 00000000000000Z instead of
1970....
3) Change the format of the sambakickofftime inside of samba so that it will
acknowledge what the DS offers it.
4) Some other way to get samba to acknowledge that account cannot login
automatically upon lockout from DS.
Thanks for your help.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
