<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Ankur Agarwal wrote:
<blockquote cite="mid548207.25864.qm@web54114.mail.yahoo.com"
type="cite">
<div>Hi,</div>
<div> </div>
<div>In my application i need to implement password lockout (after 3
unsuccessful attempts) and account inactivation by admin. I am using
Weblogic security provider for authenticating my users residing in
redhat LDAP. I have 2 questions:</div>
<div> </div>
<div>1) Using directory management console i have set lockout account
after 3 login attempts. Account does get locked out but i dont know
which attribute gets set in user profile to indicate the same?</div>
</blockquote>
The attribute accountUnlockTime gets set to a generalized timestamp.
Depending on your policy it will either be the time when the user is
due to be unlocked, or the magic timestamp 19700101000000Z if he's
locked out forever.<br>
It's operational and needs to be requested if searched:<br>
ldapsearch [-x] -D "cn=directory manager" -w <password> -b
<user's DN> "(objectclass=*)" accountunlocktime<br>
<blockquote cite="mid548207.25864.qm@web54114.mail.yahoo.com"
type="cite">
<div> </div>
<div>2) For account inactivation i am setting nsAccountLock=true. Is
this correct?</div>
<div> </div>
<div>When i am trying to login i always get same exception that login
failed. Is there a mechanism so that i can identify why login failed ie
due to password lockout or account inactivation?</div>
</blockquote>
The LDAP result code is 53 (DSA unwilling to perform) when an
inactivated user tries to bind. There's also some status text,
"Account inactivated. Contact system administrator."<br>
In the case where the user is locked out due to incorrect passwords the
code is 19 (constraint violation) with status text of "Exceed retry
limit. Contact system administrator to reset."<br>
You can verify the output and result code with ldapsearch:<br>
ldapsearch [-x] -D <inactivated or locked user's DN> -w
<password> -s base -b "" "(objectclass=*)"<br>
echo $?<br>
<br>
<blockquote cite="mid548207.25864.qm@web54114.mail.yahoo.com"
type="cite">
<div> </div>
<div>regards,</div>
<div>Ankur</div>
<p> __________________________________________________<br>
Do You Yahoo!?<br>
Tired of spam? Yahoo! Mail has the best spam protection around <br>
<a class="moz-txt-link-freetext" href="http://mail.yahoo.com">http://mail.yahoo.com</a> </p>
<pre wrap="">
<hr size="4" width="90%">
--
Fedora-directory-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a>
</pre>
</blockquote>
</body>
</html>