Hi,
I was exploring account lockout functionality of password policy
overlay. I would like to know how to reliably check whether particular
account is locked or not (e.g. for use by a helpdesk application).
It looks like from the documentation that this is not possible to do by
just examining the account LDAP entry. Is that right?
The locked account contains pwdAccountLockedTime that indicates the time
when the account was locked. But I also need to determine whether the
lock has not expired. For that I need the value of pwdLockoutDuration
from the password policy. But how to determine what entry contains a
default password policy? For that I need access to cn=config, right? So
if my helpdesk application does not have access to the cn=config then
I'm pretty much out of luck.
Is my thinking OK or have I overlooked something?
--
Radovan Semancik
Software Architect
evolveum.com
