#4222 [RFE] Implement standard account lockout attribute, as per RFC
Closed: wontfix 5 years ago Opened 10 years ago by ygorshkov.

Hi.

We're having problems with one of our applications (Atlassian Crowd) requiring a DS to comply with the RFC draft for password policy to detect
if a user is (in)active.
So it would be really nice if we could implement that attribute too, in addition to FreeIPA's standard nsAccountLock.
For more info see below:

(pasted from here: https://jira.atlassian.com/browse/CWD-2762)

----- BEGIN PASTE -----

By setting the attribute pwdAccountLockedTime to the value 000001010000Z 
you mark an account as permanently locked. This is not yet a standard, but 
defined in a RFC draft (http://tools.ietf.org/html/draft-behera-ldap-password-policy-10), which is currently implemented by:
OpenLDAP (http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies)
ApacheDS (http://directory.apache.org/apacheds/advanced-ug/4.3-password-policy.html)
IBM Tivoli Directory Server (http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.IBMDS.doc_6.2%2Fadmin_gd39.htm)
It would be good to extend the LDAP connector to optionally support locking 
accounts through that attribute. If pwdAccountLockedTime is set to anything 
else than 000001010000Z the account should be considered enabled (as in 
that case, the attribute value might be changed by the LDAP server, e.g. 
after some time elapsed). Such an implementation would cover CWD-995 as 
well.
Konrad Windszus added a comment - 21/Jan/14 2:39 PM
Patched version of the LDAP connector to support pushing of active flag. 
Only active for OpenLDAP for now.
 Konrad Windszus added a comment - 21/Jan/14 2:45 PM
The attached version of the patch defines three new crowd attributes (which 
are not yet maintainable via the web console). Those define which LDAP 
attribute should be taken to evaluate whether a user is active or inactive 
and the values for active and inactive. For the RFC draft listed above 
which is implemented by OpenLDAP those attributes are set to 
pwdAccountLockedTime (attributeName), "" (value for active users, means the 
attribute is removed if users was turned active) and "000001010000Z" (value 
for permanently locked users).
The patch supports reading the flags from LDAP, writing it to LDAP and also 
searching for active or inactive users. Currently it is only enabled for 
the OpenLDAP connector but the implementation can be used for almost any 
LDAP as it is very flexible. I would love to see it integrated in the next 
version of Crowd.
----- END OF PASTE -----

Please create new bugs in the default NEEDS_TRIAGE milestone only to keep it in developer focus (as you see, it was noticed after a while).

Related:

Comment by tbordaz: "I doubt we can implement only 'pwdAccountLockedTime' and not the others attributes. In addition it needs to be backward compatible with current pwd policy attribute."

Metadata Update from @ygorshkov:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata