Does ApacheDS support the pwdEndTime from https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 ?
This attribute specifies the time the entry's password becomes invalid for authentication. Authentication attempts made after this time will fail, regardless of expiration or grace settings. If this attribute does not exist, then this restriction does not apply. Note: that pwdStartTime may be set to a time greater than or equal to pwdEndTime; this simply disables the password. Appears this is the "drafts" method for administrative disablement of the account. -- -jim Jim Willeke On Sat, Nov 21, 2015 at 1:25 AM, Kiran Ayyagari <[email protected]> wrote: > On Sat, Nov 21, 2015 at 4:54 AM, Hal Deadman <[email protected]> > wrote: > > > I am trying to lock a user by a setting the pwdAccountLockedTime > > to 000001010000Z but I only seem to be able to do that as admin, not as > > another user with an ACI granting them all rights to all user > attributes. I > > realize pwdAccountLockedTime is an operational attribute so that makes > > sense. > > > > Two questions: > > > > Is there a way for an aci to grant rights to specific users to update > > operational attributes? > > > > even if there is such an ACI, server is strict on not allowing other > users > other than > the default admin user (uid=admin,ou=system) > This is currently a limitation of the server > (DefaultCoreSession.isAdministrator() returns > true for the default admin account instead of checking for group > membership) > > Is there a better way to lock out a user (e.g. someone who incorrectly > > answers forgot password security questions too many times) other than > > binding with an incorrect password until they are locked out by the > > password policy? > > > > no, cause the current policy implementation works purely based on the > combination > of defined config parameters > > otoh, it is upto the application to do such job, LDAP server knows nothing > about security > questions and answers. > > > > Thanks, Hal > > > > > > -- > Kiran Ayyagari > http://keydap.com >
