<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
This is in fact an OpenLDAP issues and I strongly recommend to
discuss that on OpenLDAP mailing list. To summarize my findings: <span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">pwdAccountLockedTime is NOT a good way to lock
accounts.</span><br>
<br>
In fact, OpenLDAP does not have any good solution for locking
accounts. One possible workaround is suggested here:<br>
<br>
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Recommended+OpenLDAP+Structure#RecommendedOpenLDAPStructure-AccountDisableMechanism">https://wiki.evolveum.com/display/midPoint/Recommended+OpenLDAP+Structure#RecommendedOpenLDAPStructure-AccountDisableMechanism</a><br>
<br>
I was discussing this with OpenLDAP team on several occasions
during last few years, but it almost looks like I was the only one
that was concerned with this problem. If more people join the
discussion it might help to improve the situation.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com</pre>
<br>
<br>
On 5/28/19 3:36 PM, Jeria, Esteban wrote:<br>
</div>
<blockquote type="cite"
cite="mid:678C21BCC7A3FC44B939536BD6C8DEBC33C70178@corpowt-8">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-CA">Any suggestion</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p><b><span
style="font-size:10.5pt;font-family:"Arial",sans-serif;color:blue;background:white"
lang="FR">Esteban Jeria</span></b><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:blue;background:white"
lang="FR"><o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:blue;background:white"
lang="FR"><a href="mailto:esteban.jeria@cgi.com"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">esteban.jeria@cgi.com</span></a><br>
</span><span style="font-size:9.5pt;font-family:"Calibri
Light",sans-serif;color:black;background:white"
lang="FR">Conseiller
</span><b><span
style="font-size:9.5pt;font-family:"Calibri
Light",sans-serif;color:red;background:white"
lang="FR">CGI</span></b><span
style="font-size:9.5pt;font-family:"Calibri
Light",sans-serif;color:black;background:white"
lang="FR"> / </span><b><span
style="font-size:9.5pt;font-family:"Calibri
Light",sans-serif;color:red;background:white"
lang="FR">CGI</span></b><span
style="font-size:9.5pt;font-family:"Calibri
Light",sans-serif;color:black;background:white"
lang="FR"> Consultant</span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:blue;background:white"
lang="FR"><o:p></o:p></span></p>
<p><span
style="font-size:9.5pt;font-family:"Arial",sans-serif;color:black;background:white"
lang="FR">Sécurité - Gestion des Identités et des Accès /
Security - Identity and Access Management</span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:blue;background:white"
lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="FR"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"> Jeria, Esteban
<a class="moz-txt-link-rfc2396E" href="mailto:esteban.jeria@cgi.com"><esteban.jeria@cgi.com></a>
<br>
<b>Sent:</b> 25-Apr-19 2:04 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Subject:</b> [midPoint] Lock account using
pwdAccountLockedTime on OpenLDAP<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-CA"><o:p> </o:p></span></p>
<div>
<div>
<p><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Hi,</span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> <o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">I'm
trying to configure a simulated capability to manage the
status for an account on OpenLDAP using the attribute
<strong><span
style="font-family:"Arial",sans-serif">pwdAccountLockedTime</span></strong>.<br>
Normally, a value "000001010000Z" means that the account
is permanently locked and the absence of that attribute
means the account is normal.</span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> <o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">
<cap:activation><br>
<cap:status><br>
<cap:attribute>ri:pwdAccountLockedTime</cap:attribute><br>
<cap:enableValue/><br>
<cap:disableValue>000001010000Z</cap:disableValue><br>
</cap:status><br>
</cap:activation></span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> <o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">However,
midPoint seems to reject these values.<br>
When I enable a user, the attribute should be removed,
but I get this error:<br>
For input string: "": For input string: "": For input
string: "": For input string: ""</span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> <o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">And
when I disable a user, I get that error:<br>
For input string: "000001010000Z": For input string:
"000001010000Z": For input string: "000001010000Z": For
input string: "000001010000Z"</span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> <o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">I
do not know if it is relevant, but according to the LDAP
schema, the value must be of type "GeneralizedTime" but
midPoint handle it as a "long" and seems to interpret
the value entered as string because of the character
"Z". <br>
Any other numeric value (without "Z") is accepted and is
converted to a date on OpenLDAP side.</span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> <o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> <o:p></o:p></span></p>
<div>
<div>
<div>
<p><b><span
style="font-size:10.5pt;font-family:"Arial",sans-serif;color:blue;background:white"
lang="FR">Esteban Jeria</span></b><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:blue;background:white"
lang="FR"><o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:blue;background:white"
lang="FR"><a href="mailto:esteban.jeria@cgi.com"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">esteban.jeria@cgi.com</span></a><br>
</span><span
style="font-size:9.5pt;font-family:"Calibri
Light",sans-serif;color:black;background:white"
lang="FR">Conseiller
</span><b><span
style="font-size:9.5pt;font-family:"Calibri
Light",sans-serif;color:red;background:white" lang="FR">CGI</span></b><span
style="font-size:9.5pt;font-family:"Calibri
Light",sans-serif;color:black;background:white"
lang="FR"> / </span><b><span
style="font-size:9.5pt;font-family:"Calibri
Light",sans-serif;color:red;background:white" lang="FR">CGI</span></b><span
style="font-size:9.5pt;font-family:"Calibri
Light",sans-serif;color:black;background:white"
lang="FR"> Consultant</span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:blue;background:white"
lang="FR"><o:p></o:p></span></p>
<p><span
style="font-size:9.5pt;font-family:"Arial",sans-serif;color:black;background:white"
lang="FR">Sécurité - Gestion des Identités et des
Accès / Security - Identity and Access Management</span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:blue;background:white"
lang="FR"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">
</pre>
</body>
</html>