directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: administratively locking a user in apacheds
Date Sat, 21 Nov 2015 09:25:18 GMT
On Sat, Nov 21, 2015 at 4:54 AM, Hal Deadman <hal.deadman@gmail.com> wrote:

> I am trying to lock a user by a setting the pwdAccountLockedTime
> to 000001010000Z but I only seem to be able to do that as admin, not as
> another user with an ACI granting them all rights to all user attributes. I
> realize pwdAccountLockedTime is an operational attribute so  that makes
> sense.
>
> Two questions:
>
> Is there a way for an aci to grant rights to specific users to update
> operational attributes?
>
> even if there is such an ACI, server is strict on not allowing other users
other than
the default admin user (uid=admin,ou=system)
This is currently a limitation of the server
(DefaultCoreSession.isAdministrator() returns
true for the default admin account instead of checking for group membership)

Is there a better way to lock out a user (e.g. someone who incorrectly
> answers forgot password security questions too many times) other than
> binding with an incorrect password until they are locked out by the
> password policy?
>
> no, cause the current policy implementation works purely based on the
combination
of defined config parameters

otoh, it is upto the application to do such job, LDAP server knows nothing
about security
questions and answers.


> Thanks, Hal
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message