directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: ads-pwdLockoutDuration flag
Date Fri, 28 Jun 2013 14:08:23 GMT
On Fri, Jun 28, 2013 at 7:13 PM, Emmanuel Lécharny <elecharny@gmail.com>wrote:

> Le 6/28/13 3:24 PM, Slavomir Kocka a écrit :
> > Thanks for response...
> >
> > Yes, I read it, it was mentioned there above...
> >
> > However, it didn't work for me well.
> > Originally I had:
> >
> > ads-pwdLockout: TRUE
> > ads-pwdLockoutDuration: 0
> >
> > Which is default. When some users locked-out themselves, I stopped
> servers, set ads-pwdLockoutDuration = 5, and started servers (just to avoid
> brute force login attempts)
> > However accounts, which were locked during TRUE/0 configuration, didn't
> unlock...
>
> this value cannot be applied on an already locked account (here they were
locked permanently due to the config value of 0, see below mentioned draft)

> 0 in this context means infinite. The thing is that once the users who
> were locked with 0 (ie infinite) will remain locked forever, no matter
> what (unless the admin unlock them)
> >
>
that is correct

> > Does duration apply only to newly locked accounts, or is it some bug?
>
> I don't think there is a bug. Although I think that having 0 as a
> default value is not necessarily the smartests idea we have had...
>
> this is the standard value as per the draft [1]

[1] http://tools.ietf.org/id/draft-behera-ldap-password-policy-10.txt

> Kiran, do you have something more to add ?
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>


-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message