DSEE Notes

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
(New page: == Account Lockout == Assuming a Directory Server password policy of the following: pwd-lockout-duration : disabled pwd-lockout-enabled : on pwd-max-f...)
(How do you unlock the account?)
Line 21: Line 21:
What doesn't work:
What doesn't work:
-
* Everything else I've tried, including deleting '''accountUnlockTime''', '''
+
* Everything else I've tried, including deleting '''accountUnlockTime''', '''passwordRetryCount''', and '''RetryCountResetTime'''.
-
passwordRetryCount''', and '''RetryCountResetTime'''.
+
To reset the password to the same value that was used previously, assuming the Directory Server password policy allows it (i.e., '''pwd-max-history-count''' is disabled), include the full userPassword entry, including the password hash, in the LDIF.
To reset the password to the same value that was used previously, assuming the Directory Server password policy allows it (i.e., '''pwd-max-history-count''' is disabled), include the full userPassword entry, including the password hash, in the LDIF.

Revision as of 21:11, 13 December 2007

Account Lockout

Assuming a Directory Server password policy of the following:

pwd-lockout-duration               :  disabled  
pwd-lockout-enabled                :  on
pwd-max-failure-count              :  3  

What happens when a user enters an incorrect password 3 times?

  • The operational attribute accountUnlockTime is set to 19700101000000Z.
  • The operational attribute passwordRetryCount is set to 3.

Other notes:

  • Additional failed logins will not increment passwordRetryCount above pwd-max-failure-count.
  • Locked accounts and inactive accounts are separate. A locked account can still be activated.

How do you unlock the account?

What works:

  • Reset the userPassword using an appropriate LDIF.

What doesn't work:

  • Everything else I've tried, including deleting accountUnlockTime, passwordRetryCount, and RetryCountResetTime.

To reset the password to the same value that was used previously, assuming the Directory Server password policy allows it (i.e., pwd-max-history-count is disabled), include the full userPassword entry, including the password hash, in the LDIF. e.g.,

dn: uid=user1,ou=people,dc=subdomain,dc=example,dc=com
changetype: modify
replace: UserPassword
UserPassword: {crypt}XXXXXXXXXXXXX
-
dn: uid=user2,ou=people,dc=subdomain,dc=example,dc=com
changetype: modify
replace: UserPassword
UserPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Personal tools