[midPoint] Lock account using pwdAccountLockedTime on OpenLDAP

Jeria, Esteban esteban.jeria at cgi.com
Tue May 28 20:06:26 CEST 2019 

Hi Paolo,



I already tried that, and midPoint gives an error when I add the "Z".

But according to OpenLDAP doc, this attribute must to have this specific value "000001010000Z" to be interpreted as permanently locked status, otherwise it is just interpreted as a normal date.


Esteban Jeria
esteban.jeria at cgi.com<mailto:esteban.jeria at cgi.com>
Conseiller CGI / CGI Consultant
Sécurité - Gestion des Identités et des Accès / Security - Identity and Access Management







Il 28 maggio 2019 alle 15.36 "Jeria, Esteban" ha scritto:



We're not using that trick, but the value "000001010000Z" looks too short to me: it is missing the seconds. See:

000001010000Z   vs
20050103121520Z



Have you tried with 00000101000000Z? Even though seconds are optional according to GeneralizedTime<https://ldapwiki.com/wiki/GeneralizedTime> schema definition.

Paolo





Any suggestion?


Esteban Jeria
esteban.jeria at cgi.com<mailto:esteban.jeria at cgi.com>
Conseiller CGI / CGI Consultant
Sécurité - Gestion des Identités et des Accès / Security - Identity and Access Management





From: Jeria, Esteban
Sent: 25-Apr-19 2:04 PM
To: midpoint at lists.evolveum.com
Subject: [midPoint] Lock account using pwdAccountLockedTime on OpenLDAP

Hi,

I'm trying to configure a simulated capability to manage the status for an account on OpenLDAP using the attribute pwdAccountLockedTime.
Normally, a value "000001010000Z" means that the account is permanently locked and the absence of that attribute means the account is normal.



  <cap:activation>

    <cap:status>

      <cap:attribute>ri:pwdAccountLockedTime</cap:attribute>

      <cap:enableValue/>

      <cap:disableValue>000001010000Z</cap:disableValue>

    </cap:status>

  </cap:activation>



However, midPoint seems to reject these values.
When I enable a user, the attribute should be removed, but I get this error:
   For input string: "": For input string: "": For input string: "": For input string: ""



And when I disable a user, I get that error:
   For input string: "000001010000Z": For input string: "000001010000Z": For input string: "000001010000Z": For input string: "000001010000Z"



I do not know if it is relevant, but according to the LDAP schema, the value must be of type "GeneralizedTime" but midPoint handle it as a "long" and seems to interpret the value entered as string because of the character "Z".
Any other numeric value (without "Z") is accepted and is converted to a date on OpenLDAP side.

Esteban Jeria
esteban.jeria at cgi.com<mailto:esteban.jeria at cgi.com>
Conseiller CGI / CGI Consultant
Sécurité - Gestion des Identités et des Accès / Security - Identity and Access Management

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190528/c5ea6174/attachment.htm>

More information about the midPoint mailing list