Re: Question pertaining to PPolicy overlay feature

[Howard Chu <hyc@symas.com>]

In revision 1.58 I updated the operational attribute schema to match 
draft 9 of the password policy specification; it makes a number of 
attributes non-user-modifiable, including pwdAccountLockedTime. We may 
have to back out a couple more of these changes if there is no internal 
mechanism to alter these attributes. I'll raise this question on the 
ldapext mailing list and see what answers we get.

Shawn McKinney wrote:
> To reset a user's LDAP account that has been locked
> due  maxFailure bind failures, my client program
> performs the following steps:   
>
> On the user entry that is locked:
> set userPassword = to a new password value
> set pwdReset = TRUE
> delete pwdLockedTime operational attribute
>
> Testing w/ version 1.56 ppolicy module the above steps
> work flawlessly. The user must change password on
> subsequent bind per PW policy setting.
>
> But when I upgrade to latest version of ppolicy
> module, 1.60, I get constraint violation when I
> attempt removal of user's pwdLockedTime attribute.
>
> My question is, for situations when the user account
> is locked, how do we reset the user account
> programatically?  I have found leaving the pwdReset
> flag alone will not unlock the user's account.
>
> Thanks,
>
> Shawn
>
>
>   


--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/