Hi.
We're having problems with one of our applications (Atlassian Crowd) requiring a DS to comply with the RFC draft for password policy to detect if a user is (in)active. So it would be really nice if we could implement that attribute too, in addition to FreeIPA's standard nsAccountLock. For more info see below:
nsAccountLock
(pasted from here: https://jira.atlassian.com/browse/CWD-2762)
----- BEGIN PASTE ----- By setting the attribute pwdAccountLockedTime to the value 000001010000Z you mark an account as permanently locked. This is not yet a standard, but defined in a RFC draft (http://tools.ietf.org/html/draft-behera-ldap-password-policy-10), which is currently implemented by: OpenLDAP (http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies) ApacheDS (http://directory.apache.org/apacheds/advanced-ug/4.3-password-policy.html) IBM Tivoli Directory Server (http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.IBMDS.doc_6.2%2Fadmin_gd39.htm) It would be good to extend the LDAP connector to optionally support locking accounts through that attribute. If pwdAccountLockedTime is set to anything else than 000001010000Z the account should be considered enabled (as in that case, the attribute value might be changed by the LDAP server, e.g. after some time elapsed). Such an implementation would cover CWD-995 as well. Konrad Windszus added a comment - 21/Jan/14 2:39 PM Patched version of the LDAP connector to support pushing of active flag. Only active for OpenLDAP for now. Konrad Windszus added a comment - 21/Jan/14 2:45 PM The attached version of the patch defines three new crowd attributes (which are not yet maintainable via the web console). Those define which LDAP attribute should be taken to evaluate whether a user is active or inactive and the values for active and inactive. For the RFC draft listed above which is implemented by OpenLDAP those attributes are set to pwdAccountLockedTime (attributeName), "" (value for active users, means the attribute is removed if users was turned active) and "000001010000Z" (value for permanently locked users). The patch supports reading the flags from LDAP, writing it to LDAP and also searching for active or inactive users. Currently it is only enabled for the OpenLDAP connector but the implementation can be used for almost any LDAP as it is very flexible. I would love to see it integrated in the next version of Crowd. ----- END OF PASTE -----
Please create new bugs in the default NEEDS_TRIAGE milestone only to keep it in developer focus (as you see, it was noticed after a while).
Related:
Comment by tbordaz: "I doubt we can implement only 'pwdAccountLockedTime' and not the others attributes. In addition it needs to be backward compatible with current pwd policy attribute."
Metadata Update from @ygorshkov: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.