#48269 RFE: need an easy way to detect locked accounts locked by inactivity.
Closed: wontfix None Opened 6 years ago by nhosoi.

Description of problem:

Define an account policy to track login times and lock accounts due to inactivity.

As we see in documentation, the only way to activate an account which has been
inactivated by inactivity is to delete the lastlogintime attribute:

"Accounts which are inactivated through the Account Policy Plug-in cannot be
managed with the tools that are used to manage lockouts that are set manually
by the administrator (ns-activate.pl) or through the password policy.
If an account is locked because it reached the inactivity limit, it can be
reactivated by removing the lastLoginTime operational attribute from the
entry."

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/
Administration_Guide/account-policy-plugin.html#account-policy-plugin-syntax

The issue is that this has to be done by Administrator and the only way to
detect an account is locked, is to query the assigned policy of the entry to
find the inactiviy limit and do the calculation against the lastlogintime,
exactly as the server is calculating at user BIND time.

RFE: enhance ns-accountstatus.pl to be able to recognize an account must be re-activated.


There is also a request to provide more information in account status:

{{{
Entry Created Date
Entry Modified Date
User is locked - Yes/No
User is Deactivated - Yes/No
}}}

I think the only change I would say is on the CLI help:

{-I DN | [-b basedn -f filter -s scope]}

Should be:

{-I DN | -b basedn -f filter [-s scope]}

As only the scope is optional.

Otherwise, works for me, and with that doc change, you have my ack.

Replying to [comment:6 firstyear]:

I think the only change I would say is on the CLI help:

{-I DN | [-b basedn -f filter -s scope]}

Should be:

{-I DN | -b basedn -f filter [-s scope]}

As only the scope is optional.

Otherwise, works for me, and with that doc change, you have my ack.

Done, and I also updated the man page:

e033d4b..9795ec8 master -> master
commit 9795ec8
Author: Mark Reynolds mreynolds@redhat.com
Date: Mon Feb 8 10:52:48 2016 -0500

9c310b0..7b7d22c master -> master
commit 7b7d22c
Author: Mark Reynolds mreynolds@redhat.com
Date: Tue May 3 15:51:51 2016 -0400

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.3.5.0

5 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1600

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

2 years ago

Login to comment on this ticket.

Metadata