--- Howard Chu <hyc@symas.com> wrote:Both ways are intended to work, because there are really two separate use cases. In one case, it should be possible to reset the locked status of an account without requiring the password to be changed at the same time. This would be a situation e.g. where a third party tried unsuccessfully to guess the user's password, causing the account to get locked. The user still knows the password, and the password's integrity has not been violated, so the user ought to be allowed to continue to use it. (There is of course a side issue of tracking down the third party and putting a stop to whatever they're doing, but that's a separate discussion...)
The current revision in CVS HEAD makes the
pwdAccountLockedTime user modifiable again (undoing the draft-9 change for
now) and also deletes the attribute automatically when the password is
changed.
I've verified that version 1.62 behaves in the manner
described above.
But, I am not sure which way to proceed -
1. remove the pwdAccountLockedTime attribute w/ client or 2. leave the attribute alone, let the ppolicy overlay modify it.
Any recommendations? Right now both ways work.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/