[SOLVED] Automatically unlock LDAP user account

Ankushkalra · 10-10-2017, 06:44 AM

Hi,

I have successfully created LDAP server .

I want that LDAP users account gets automatically unlocked after 300 seconds.

LDAP user gets automatically locked after 3 invalid attempts but doesnot unlocks automatically.

I know how to manually unlock the user but i want to do this automatically.

Please suggest.

Configratioon files are as below.
Code:

[LDAP Server]# cat passwordpolicy.ldif
dn: cn=default,ou=policies,dc=Domain,dc=com
cn: default
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 2592000
pwdExpireWarning: 604800
pwdInHistory: 4
pwdCheckQuality: 1
pwdMinLength: 14
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

LDAP Server # ldapsearch -x -D cn=Manager,dc=Domain,dc=com -w tcs12345 -b "ou=People,dc=Domain,dc=com" -s sub -h `hostname` pwdAccountLockedTime
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=Domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: pwdAccountLockedTime
#

# People, Domain.com
dn: ou=People,dc=Domain,dc=com

# ldapusr1, People, Domain.com
dn: uid=ldapusr1,ou=People,dc=Domain,dc=com

# ldapapp1, People, Domain.com
dn: uid=ldapapp1,ou=People,dc=Domain,dc=com
pwdAccountLockedTime: 20171010082937Z -------user account is locked

# ldapapp01, People, Domain.com
dn: uid=ldapapp01,ou=People,dc=Domain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4

TB0ne · 10-10-2017, 07:11 AM

Quote:

Originally Posted by Ankushkalra

Hi,
I have successfully created LDAP server. I want that LDAP users account gets automatically unlocked after 300 seconds. LDAP user gets automatically locked after 3 invalid attempts but doesnot unlocks automatically. I know how to manually unlock the user but i want to do this automatically. Please suggest. Configratioon files are as below.

Code:

[LDAP Server]# cat passwordpolicy.ldif
dn: cn=default,ou=policies,dc=Domain,dc=com
cn: default
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 2592000
pwdExpireWarning: 604800
pwdInHistory: 4
pwdCheckQuality: 1
pwdMinLength: 14
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE


LDAP Server # ldapsearch -x -D cn=Manager,dc=Domain,dc=com -w tcs12345 -b "ou=People,dc=Domain,dc=com" -s sub -h `hostname`  pwdAccountLockedTime
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=Domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: pwdAccountLockedTime
#

# People, Domain.com
dn: ou=People,dc=Domain,dc=com

# ldapusr1, People, Domain.com
dn: uid=ldapusr1,ou=People,dc=Domain,dc=com

# ldapapp1, People, Domain.com
dn: uid=ldapapp1,ou=People,dc=Domain,dc=com
pwdAccountLockedTime: 20171010082937Z   -------user  account is locked

# ldapapp01, People, Domain.com
dn: uid=ldapapp01,ou=People,dc=Domain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4

Put your configs and such things in CODE tags, please. You say it doesn't unlock...what gives you this information? Do you wait the required amount of time, and what kind of system are you running as both client and server? The openLDAP documentation gives information about doing this:
http://www.openldap.org/doc/admin24/overlays.html
http://www.zytrax.com/books/ldap/ch6/ppolicy.html

...but if you have a Mac/Windows client, things may be different, especially if you're using Active Directory in addition to LDAP.

Ankushkalra · 10-14-2017, 01:28 AM

Thanks for the update!!!

The issue was resolved as i have logged in to LDAP client after 300 seconds with same password.

The issue was that "pwdAccountLockedTime" will not disappear after 300 seconds but disapear only after when i logged in after 300 sec with correct password.

Anyways thanks for the help.