Re: Checking that account is locked

[Clément OUDOT <clement.oudot@savoirfairelinux.com>]

Le 16/06/2016 10:36, Radovan Semancik a écrit :
> Thanks Clement,
>
> I'm glad that you confirmed that. I was afraid that I'm overlooking 
> something essential here.
>
> On 06/15/2016 10:14 PM, Clément OUDOT wrote:
> > Well, if there is a default ppolicy configured, and yes you need to 
> > search it in cn=config, but it can also be a configuration parameter 
> > on your side. If there is not, the policy will be defined in 
> > pwdPolicySubentry, so you can directly request it.
>
> Yes, theoretically I can have configuration parameter on my side. But 
> practically that is asking for trouble during operation and 
> maintenance. If the pointer to default password policy in OpenLDAP 
> changes I'm quite sure nobody will think about updating the 
> configuration of my application.
>
> > You also need to take into account the value 000001010000Z in 
> > pwdAccountLockedTime which means the password is locked forever.
>
> Sure. I have seen that in the docs.
>
> > But we clearly lack of some operations that would allow to know the 
> > state of an account. This could be an interesting discussion if we 
> > work on a new ppolicy draft.
>
> Well, that's a bit more complex. It is not just an operation to check 
> the status. But there are also usecases to search such accounts. E.g. 
> statistics how many accounts are locked, look for locked accounts if 
> an password attack is suspected, etc.


Maybe a solution can be to rely on the pwdAccountLockedTime attribute 
presence and create a cronjob that will remove this attribute if the 
pwdLockoutDuration is over. Not very clean but seems a quick fix.



--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS
Blog: http://sflx.ca/coudot