[midPoint] Lock account using pwdAccountLockedTime on OpenLDAP

Petr Gašparík - AMI Praha a.s. petr.gasparik at ami.cz
Wed May 29 08:45:36 CEST 2019


it is recommendation from this article:
https://ldapwiki.com/wiki/PwdAccountLockedTime

A *000001010000Z *value means that the account has been locked permanently,
and that only a password administrator can unlock the account.

--

s pozdravem

*Petr Gašparík*
solution architect

gsm: [+420] 603 523 860
e‑mail: petr.gasparik at ami.cz

*AMI Praha a.s.*
Pláničkova 11, 162 00 Praha 6

tel.: [+420] 274 783 239 | web: www.ami.cz

[image: AMI Praha a.s.]

Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.

Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.


út 28. 5. 2019 v 17:15 odesílatel Paolo Cravero <paolo.cravero at csi.it>
napsal:

> Il 28 maggio 2019 alle 15.36 "Jeria, Esteban" <esteban.jeria at cgi.com> ha
> scritto:
>
> Any suggestion?
>
> We're not using that trick, but the value “000001010000Z” looks too short
> to me: it is missing the seconds. See:
>
> 000001010000Z   vs
> 20050103121520Z
>
>
> Have you tried with 000001010000*00*Z? Even though seconds are optional
> according to GeneralizedTime <https://ldapwiki.com/wiki/GeneralizedTime>
> schema definition.
>
> Paolo
>
>
>
> *Esteban Jeria*
>
> esteban.jeria at cgi.com
> Conseiller *CGI* / *CGI* Consultant
>
> Sécurité - Gestion des Identités et des Accès / Security - Identity and
> Access Management
>
>
>
> *From:* Jeria, Esteban <esteban.jeria at cgi.com>
> *Sent:* 25-Apr-19 2:04 PM
> *To:* midpoint at lists.evolveum.com
> *Subject:* [midPoint] Lock account using pwdAccountLockedTime on OpenLDAP
>
>
>
> Hi,
>
>
>
> I'm trying to configure a simulated capability to manage the status for an
> account on OpenLDAP using the attribute *pwdAccountLockedTime*.
> Normally, a value "000001010000Z" means that the account is permanently
> locked and the absence of that attribute means the account is normal.
>
>
>
>   <cap:activation>
>     <cap:status>
>       <cap:attribute>ri:pwdAccountLockedTime</cap:attribute>
>       <cap:enableValue/>
>       <cap:disableValue>000001010000Z</cap:disableValue>
>     </cap:status>
>   </cap:activation>
>
>
>
> However, midPoint seems to reject these values.
> When I enable a user, the attribute should be removed, but I get this
> error:
>  For input string: "": For input string: "": For input string: "": For
> input string: ""
>
>
>
> And when I disable a user, I get that error:
>  For input string: "000001010000Z": For input string: "000001010000Z": For
> input string: "000001010000Z": For input string: "000001010000Z"
>
>
>
> I do not know if it is relevant, but according to the LDAP schema, the
> value must be of type "GeneralizedTime" but midPoint handle it as a "long"
> and seems to interpret the value entered as string because of the character
> "Z".
> Any other numeric value (without "Z") is accepted and is converted to a
> date on OpenLDAP side.
>
>
>
>
>
> *Esteban Jeria*
>
> esteban.jeria at cgi.com
> Conseiller *CGI* / *CGI* Consultant
>
> Sécurité - Gestion des Identités et des Accès / Security - Identity and
> Access Management
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190529/f71f881c/attachment.htm>


More information about the midPoint mailing list