How to unlock user on ApacheDS

*爱你&永不变心* 提交于 2019-12-22 09:13:21

问题


I setup an ApacheDS with default password-policy enabled. For testing proposes I locked a simple User (objectClass=Person extended with some custom User-objectClass) by entering the wrong credentials a number of times. As I expected the user was locked (error msg: user was permanently locked).

The question now is: How to unlock the user again? Is there a better way then just deleting and adding again?

I tried the same with an extended user (objectClass=pwdPolicy) but no pwd* attributes were added when the user was locked.


回答1:


More recently, I encountered the same problem at work. But, it seems that there is no answer on Internet. Finally,I found the answer by viewing this document:

Password Policy for LDAP Directories draft-behera-ldap-password-policy

  • At section 5.3.3: pwdAccountLockedTime

This attribute holds the time that the user's account was locked. A
locked account means that the password may no longer be used to
authenticate. A 000001010000Z value means that the account has been
locked permanently, and that only a password administrator can unlock the account.

  • At section 5.2.12: pwdLockoutDuration

This attribute holds the number of seconds that the password cannot
be used to authenticate due to too many failed bind attempts. If
this attribute is not present, or if the value is 0 the password
cannot be used to authenticate until reset by a password
administrator
.

Through above two section, we can assume that we should connect to ApacheDS server with administrator(by default: uid=admin,ou=system, password=secret ), and delete the user's userPassword attribute. By this way,the permanently locked user can be unlock.

I practiced this sulotion and it works well.

I suggest you should set value for pwdLockoutDuration attribute, in this case the user can not been permanently locked.

For more infomation:

ApacheDS password Policy




回答2:


Use ApacheDS Studio and log in as admin, find the user, right-click and choose "Fetch->Fetch operational attributes". Now pwdAccountLockedTime is visible and you can delete it to unlocks the user




回答3:


The answer by Mister's is perfect to unlock an account and if you want to set the pwdLockoutDuration for a single user (assuming the user has implemnted the objectClass pwdPolicy.

There is also a global config file found in:

ou=config
  *  ads-directoryServiceId=<default>
    * ou=interceptors
       * ads-interceptorId=authenticationInterceptor
          * ou=passwordPolicies

Here we can set the default password policy:

As mine is just a test-server, I have completely disabled lockout via setting the ads-pwdlockout to FALSE. For more on configuring password policy read the official docs.



来源:https://stackoverflow.com/questions/32348831/how-to-unlock-user-on-apacheds

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!