Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A00B8F700 for ; Wed, 20 Mar 2013 18:18:30 +0000 (UTC) Received: (qmail 87460 invoked by uid 500); 20 Mar 2013 18:18:30 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 87430 invoked by uid 500); 20 Mar 2013 18:18:30 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 87421 invoked by uid 99); 20 Mar 2013 18:18:30 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Mar 2013 18:18:30 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of elecharny@gmail.com designates 74.125.83.51 as permitted sender) Received: from [74.125.83.51] (HELO mail-ee0-f51.google.com) (74.125.83.51) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Mar 2013 18:18:23 +0000 Received: by mail-ee0-f51.google.com with SMTP id d17so1254760eek.10 for ; Wed, 20 Mar 2013 11:18:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=My3yk7ErwVkJMIdM9lVH9JvSZsWbNtNxs7cKV9QeNu8=; b=ea6dvoZXoySZIRXsMDxKNMITMOVH9taMSAN19tcgeUpq4EqcfXZL2oECFt+IFJFH9w Lbkj1N7S8kUbIvi2eGVQwP8B7jj3jG+p1pVgN9RTLRmlP+i/GhsVoT3pvlt5FPuiw7Uj avzo7ltORBMfmSsp6SqD6kO12xIwtdcRryQKkdkgZYZde9hadPPFuJ/ASWmTt3lg+fjY aaYZ2H5cq4Vys9dmZirduRZdzFxKjKLLF9d3fRuWn0ckCyVKN5/rjeenxZMcBygV1CTi 96ZOi9vA40dOd4qv05BNW2VgGtHzZyDgs+wEHHrv8UUreaeYttISQgBWy3zHeO99ojhH p9Og== X-Received: by 10.14.182.137 with SMTP id o9mr73788158eem.13.1363803483504; Wed, 20 Mar 2013 11:18:03 -0700 (PDT) Received: from Emmanuels-MacBook-Pro.local (lon92-10-78-226-4-211.fbx.proxad.net. [78.226.4.211]) by mx.google.com with ESMTPS id 44sm4112785eek.5.2013.03.20.11.18.01 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 20 Mar 2013 11:18:02 -0700 (PDT) Message-ID: <5149FD59.1000103@gmail.com> Date: Wed, 20 Mar 2013 19:18:01 +0100 From: =?UTF-8?B?RW1tYW51ZWwgTMOpY2hhcm55?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: users@directory.apache.org Subject: Re: [ApacheDS] - Account permanently locked References: <169C7BAC03C46747A97D6E544E0B71F29956EC72A5@MSPMSGCCR000.corp.fairisaac.com> In-Reply-To: <169C7BAC03C46747A97D6E544E0B71F29956EC72A5@MSPMSGCCR000.corp.fairisaac.com> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Le 3/20/13 6:32 PM, Heu, Tou-Soua a écrit : > I have a similar problem but instead of the system/admin account it's for an ordinary LDAP account: > > 1) what is the process to unlock an account which has been locked due to excessive login failure? > > Resetting the password doesn't clear the locked state. > > Looking at other LDAP products, like the IBM Tivoli Directory Server, I'm guessing that one would need to delete both "pwdFailureTime" and "pwdAccountLockedTime" attributes but for whatever reasons we can't delete the later, even with the system account (this situation occurred on the 2.0 M6 build, not sure if this was fixed in recent versions like M11). > > In reviewing the 2.0 documentation, I couldn't find answers to these other general usage: > > 2) what is the process for unlocking an account for other scenario, if applicable, like an expired account? > 3) how do you overwrite the password policy for a given account or container? In another word, either: > 3.a) flag it to not be bound by any password policy, or > 3.b) set it to use a different password policy than its parent > > Thanks. > > Addendum: is this related to issue logged under DIRSERVER-1813? yes, most certainly. This is a critical issue that needs to be fixed. Teh only possible workaround atm is to delete the user and to recreate it. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com