Ankur Agarwal wrote:

Hi,

In my application i need to implement password lockout (after 3 unsuccessful attempts) and account inactivation by admin. I am using Weblogic security provider for authenticating my users residing in redhat LDAP. I have 2 questions:

1) Using directory management console i have set lockout account after 3 login attempts. Account does get locked out but i dont know which attribute gets set in user profile to indicate the same?

The attribute accountUnlockTime gets set to a generalized timestamp. Depending on your policy it will either be the time when the user is due to be unlocked, or the magic timestamp 19700101000000Z if he's locked out forever.
It's operational and needs to be requested if searched:
ldapsearch [-x] -D "cn=directory manager" -w <password> -b <user's DN> "(objectclass=*)" accountunlocktime

2) For account inactivation i am setting nsAccountLock=true. Is this correct?

When i am trying to login i always get same exception that login failed. Is there a mechanism so that i can identify why login failed ie due to password lockout or account inactivation?

The LDAP result code is 53 (DSA unwilling to perform) when an inactivated user tries to bind. There's also some status text, "Account inactivated. Contact system administrator."
In the case where the user is locked out due to incorrect passwords the code is 19 (constraint violation) with status text of "Exceed retry limit. Contact system administrator to reset."
You can verify the output and result code with ldapsearch:
ldapsearch [-x] -D <inactivated or locked user's DN> -w <password> -s base -b "" "(objectclass=*)"
echo $?

regards,

Ankur

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
  