Thanks Clement,
I'm glad that you confirmed that. I was afraid that I'm overlooking
something essential here.
On 06/15/2016 10:14 PM, Clément OUDOT wrote:
Well, if there is a default ppolicy configured, and yes you need to
search it in cn=config, but it can also be a configuration parameter
on your side. If there is not, the policy will be defined in
pwdPolicySubentry, so you can directly request it.
Yes, theoretically I can have configuration parameter on my side. But
practically that is asking for trouble during operation and maintenance.
If the pointer to default password policy in OpenLDAP changes I'm quite
sure nobody will think about updating the configuration of my application.
You also need to take into account the value 000001010000Z in
pwdAccountLockedTime which means the password is locked forever.
Sure. I have seen that in the docs.
But we clearly lack of some operations that would allow to know the
state of an account. This could be an interesting discussion if we
work on a new ppolicy draft.
Well, that's a bit more complex. It is not just an operation to check
the status. But there are also usecases to search such accounts. E.g.
statistics how many accounts are locked, look for locked accounts if an
password attack is suspected, etc.
--
Radovan Semancik
Software Architect
evolveum.com
