> On Fri, 2003-03-28 at 23:55, Jianliang Lu wrote: > > Now the users of "admin users" will not be locked. > > "admin users" not the appropriate choice here. Better would be the > members of the 'domain admins' group. The interesting bit is finding > this out at the right point in time...
Yes, I agree with you. But until the privilege of "domain admins" does not work I can only use the "admin users" as the workaround to administrator's group. > > > In attach is the new patch > > file. > > About lockout duration, I will implement next time. I think that we should > > extend another attribute to record the lockout time. > > We also need to check that the account policy has been set, and that > it's not 0 (which I assume is the 'don't lock out' value). > '0' means forever. we can always put the max number like 99999.. to that. As soon as the user logon with the correct password the bad attempt count will be reset to 0. > Also, I'm worried about the writes this will cause on the backend. An > LDAP write can be quite expensive, and for the LDAP case this means that > the master ldap server will be hit for every logon attempt. > Yes, but I don't know how to implement it differently. > Andrew Bartlett > > -- > Andrew Bartlett [EMAIL PROTECTED] > Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] > Student Network Administrator, Hawker College [EMAIL PROTECTED] > http://samba.org http://build.samba.org http://hawkerc.net Jianliang Lu TieSse s.p.a. Via Jervis, 60. 10015 Ivrea (To) - Italy [EMAIL PROTECTED] [EMAIL PROTECTED]
