On Sat, Nov 21, 2015 at 4:54 AM, Hal Deadman <hal.dead...@gmail.com> wrote:
> I am trying to lock a user by a setting the pwdAccountLockedTime > to 000001010000Z but I only seem to be able to do that as admin, not as > another user with an ACI granting them all rights to all user attributes. I > realize pwdAccountLockedTime is an operational attribute so that makes > sense. > > Two questions: > > Is there a way for an aci to grant rights to specific users to update > operational attributes? > > even if there is such an ACI, server is strict on not allowing other users other than the default admin user (uid=admin,ou=system) This is currently a limitation of the server (DefaultCoreSession.isAdministrator() returns true for the default admin account instead of checking for group membership) Is there a better way to lock out a user (e.g. someone who incorrectly > answers forgot password security questions too many times) other than > binding with an incorrect password until they are locked out by the > password policy? > > no, cause the current policy implementation works purely based on the combination of defined config parameters otoh, it is upto the application to do such job, LDAP server knows nothing about security questions and answers. > Thanks, Hal > -- Kiran Ayyagari http://keydap.com
