Password lockout and Account inactivation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ankur Agarwal wrote:
> Hi,
>  
> In my application i need to implement password lockout (after 3 
> unsuccessful attempts) and account inactivation by admin. I am using 
> Weblogic security provider for authenticating my users residing in 
> redhat LDAP. I have 2 questions:
>  
> 1) Using directory management console i have set lockout account after 
> 3 login attempts. Account does get locked out but i dont know which 
> attribute gets set in user profile to indicate the same?
The attribute accountUnlockTime gets set to a generalized timestamp.  
Depending on your policy it will either be the time when the user is due 
to be unlocked, or the magic timestamp 19700101000000Z if he's locked 
out forever.
It's operational and needs to be requested if searched:
ldapsearch [-x] -D "cn=directory manager" -w <password> -b <user's DN> 
"(objectclass=*)" accountunlocktime
>  
> 2) For account inactivation i am setting nsAccountLock=true. Is this 
> correct?
>  
> When i am trying to login i always get same exception that login 
> failed. Is there a mechanism so that i can identify why login failed 
> ie due to password lockout or account inactivation?
The LDAP result code is 53 (DSA unwilling to perform) when an 
inactivated user tries to bind.  There's also some status text, "Account 
inactivated. Contact system administrator."
In the case where the user is locked out due to incorrect passwords the 
code is 19 (constraint violation) with status text of "Exceed retry 
limit. Contact system administrator to reset."
You can verify the output and result code with ldapsearch:
ldapsearch [-x] -D <inactivated or locked user's DN> -w <password> -s 
base -b "" "(objectclass=*)"
echo $?

>  
> regards,
> Ankur
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20061226/f852702b/attachment.html
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux