Re: [Pki-users] DS 8.1 question -- password unlock attribute
Veale, Sean wrote:
I'm trying to set up a password policy such that if a user attempts to
bind with the incorrect password x times they will need to have it
unlocked by an administrator.
I have it mostly set up but have a question on the passwordUnlock
attribute. From the 8.1 admin guide,
passwordLockoutDuration This attribute indicates the time, in seconds,
that users will be locked out of the directory. The
/passwordUnlock/ attribute specifies that a user
is locked out until the password is reset by an
administrator. By default, the user is locked out
for* 3600* seconds.
Do I need to set the passwordUnlock attribute to "off" to make it so
an admin has to reset a users password? Or does it need to set to
"on" to turn on the feature that I want?
I understand passwordUnlock means a user's can unlock its entry/account
when it is set to 'on':
With passwordUnlock on (default) and passwordRetryCount reached, the
user account is locked until the specified passwordLockoutDuration value
is expired.
With passwordUnlock off and passwordRetryCount reached, the user account
is locked until the admin resets this user entry's password, no matter
what passwordLockoutDuration is set to.
With passwordUnlock off and passwordLockoutDuration set to 0, account
is always locked until some admin action on passwordLockoutDuration or
passwordUnlock.
I would likely set passwordUnlock to off, and test.
M.
Thanks
Sean
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
Attachments:
- smime.p7s (application/x-pkcs7-signature — 6.5 KB)