[Fedora-directory-users] Password lockout and Account inactivation

Ulf Weltman ulf.weltman at hp.com
Tue Dec 26 20:56:59 UTC 2006 

Ankur Agarwal wrote:
> Hi,
>  
> In my application i need to implement password lockout (after 3 
> unsuccessful attempts) and account inactivation by admin. I am using 
> Weblogic security provider for authenticating my users residing in 
> redhat LDAP. I have 2 questions:
>  
> 1) Using directory management console i have set lockout account after 
> 3 login attempts. Account does get locked out but i dont know which 
> attribute gets set in user profile to indicate the same?
The attribute accountUnlockTime gets set to a generalized timestamp.  
Depending on your policy it will either be the time when the user is due 
to be unlocked, or the magic timestamp 19700101000000Z if he's locked 
out forever.
It's operational and needs to be requested if searched:
ldapsearch [-x] -D "cn=directory manager" -w <password> -b <user's DN> 
"(objectclass=*)" accountunlocktime
>  
> 2) For account inactivation i am setting nsAccountLock=true. Is this 
> correct?
>  
> When i am trying to login i always get same exception that login 
> failed. Is there a mechanism so that i can identify why login failed 
> ie due to password lockout or account inactivation?
The LDAP result code is 53 (DSA unwilling to perform) when an 
inactivated user tries to bind.  There's also some status text, "Account 
inactivated. Contact system administrator."
In the case where the user is locked out due to incorrect passwords the 
code is 19 (constraint violation) with status text of "Exceed retry 
limit. Contact system administrator to reset."
You can verify the output and result code with ldapsearch:
ldapsearch [-x] -D <inactivated or locked user's DN> -w <password> -s 
base -b "" "(objectclass=*)"
echo $?

>  
> regards,
> Ankur
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20061226/f852702b/attachment.htm>

More information about the Fedora-directory-users mailing list