[midPoint] Lock account using pwdAccountLockedTime on OpenLDAP

Radovan Semancik radovan.semancik at evolveum.com
Wed May 29 09:01:56 CEST 2019 

Hi,

This is in fact an OpenLDAP issues and I strongly recommend to discuss 
that on OpenLDAP mailing list. To summarize my findings: 
pwdAccountLockedTime is NOT a good way to lock accounts.

In fact, OpenLDAP does not have any good solution for locking accounts. 
One possible workaround is suggested here:

https://wiki.evolveum.com/display/midPoint/Recommended+OpenLDAP+Structure#RecommendedOpenLDAPStructure-AccountDisableMechanism

I was discussing this with OpenLDAP team on several occasions during 
last few years, but it almost looks like I was the only one that was 
concerned with this problem. If more people join the discussion it might 
help to improve the situation.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 5/28/19 3:36 PM, Jeria, Esteban wrote:
>
> Any suggestion?
>
> *Esteban Jeria*
>
> esteban.jeria at cgi.com <mailto:esteban.jeria at cgi.com>
> Conseiller *CGI*/ *CGI*Consultant
>
> Sécurité - Gestion des Identités et des Accès / Security - Identity 
> and Access Management
>
> *From:*Jeria, Esteban <esteban.jeria at cgi.com>
> *Sent:* 25-Apr-19 2:04 PM
> *To:* midpoint at lists.evolveum.com
> *Subject:* [midPoint] Lock account using pwdAccountLockedTime on OpenLDAP
>
> Hi,
>
> I'm trying to configure a simulated capability to manage the status 
> for an account on OpenLDAP using the attribute *pwdAccountLockedTime*.
> Normally, a value "000001010000Z" means that the account is 
> permanently locked and the absence of that attribute means the account 
> is normal.
>
> <cap:activation>
>     <cap:status>
> <cap:attribute>ri:pwdAccountLockedTime</cap:attribute>
>       <cap:enableValue/>
> <cap:disableValue>000001010000Z</cap:disableValue>
>     </cap:status>
>   </cap:activation>
>
> However, midPoint seems to reject these values.
> When I enable a user, the attribute should be removed, but I get this 
> error:
>  For input string: "": For input string: "": For input string: "": For 
> input string: ""
>
> And when I disable a user, I get that error:
>  For input string: "000001010000Z": For input string: "000001010000Z": 
> For input string: "000001010000Z": For input string: "000001010000Z"
>
> I do not know if it is relevant, but according to the LDAP schema, the 
> value must be of type "GeneralizedTime" but midPoint handle it as a 
> "long" and seems to interpret the value entered as string because of 
> the character "Z".
> Any other numeric value (without "Z") is accepted and is converted to 
> a date on OpenLDAP side.
>
> *Esteban Jeria*
>
> esteban.jeria at cgi.com <mailto:esteban.jeria at cgi.com>
> Conseiller *CGI*/ *CGI*Consultant
>
> Sécurité - Gestion des Identités et des Accès / Security - Identity 
> and Access Management
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190529/97007b05/attachment.htm>

More information about the midPoint mailing list