[Pki-users] DS 8.1 question -- password unlock attribute
Marc Sauton
msauton at redhat.com
Mon Jan 4 20:19:12 UTC 2010
Veale, Sean wrote:
>
>
> I'm trying to set up a password policy such that if a user attempts to
> bind with the incorrect password x times they will need to have it
> unlocked by an administrator.
>
> I have it mostly set up but have a question on the passwordUnlock
> attribute. From the 8.1 admin guide,
>
> passwordLockoutDuration This attribute indicates the time, in seconds,
> that users will be locked out of the directory. The
> /passwordUnlock/ attribute specifies that a user
> is locked out until the password is reset by an
> administrator. By default, the user is locked out
> for* 3600* seconds.
>
> Do I need to set the passwordUnlock attribute to "off" to make it so
> an admin has to reset a users password? Or does it need to set to
> "on" to turn on the feature that I want?
>
I understand passwordUnlock means a user's can unlock its entry/account
when it is set to 'on':
With passwordUnlock on (default) and passwordRetryCount reached, the
user account is locked until the specified passwordLockoutDuration value
is expired.
With passwordUnlock off and passwordRetryCount reached, the user account
is locked until the admin resets this user entry's password, no matter
what passwordLockoutDuration is set to.
With passwordUnlock off and passwordLockoutDuration set to 0, account
is always locked until some admin action on passwordLockoutDuration or
passwordUnlock.
I would likely set passwordUnlock to off, and test.
M.
>
> Thanks
> Sean
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6650 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pki-users/attachments/20100104/192f3ae2/attachment.bin>
More information about the Pki-users
mailing list