Hi Eugen,
okay, another option will be to define Local Account Policy for the users you want to be locked after the expiration. 

Check out this setup for Local Account Policy (CoS configuration):
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/administration_guide/index#account-policy-plugin-config

And then, use the settings from this chapter to disable the user account after the expiration:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/administration_guide/index#disabling-accounts-a-certain-amount-of-time-after-password-expiry

Sincerely,
Simon

On Thu, Sep 17, 2020 at 8:17 AM Eugen Lamers <eugen.lamers@br-automation.com> wrote:
Hi Simon,

thanx for your help. But it is rather the other way round: The customer already has the policy for special users that must not be forced to change the password. In addition, the customer now wants "normal" users to be completely locked out when the password has expired, only administrators may then be able to change the user's password and enable the user's login.

Eugen
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org