Monday, October 2, 2023

[389-users] Re: Setting "lock" time of an account in the future

Hi Mark, thanks for the response.

We already use password lockout plugin, but what I need is the opposite.

I want to
* Create an account, activate it
* Set an expiration date, so that after that date account is locked.


On Fri, Sep 29, 2023 at 9:50 PM Mark Reynolds <> wrote:
Actually, I was wrong there is more you need to do.

You need to enable account lockout and set a max failure count:

# dsconf slapd-INSTANCE config set passwordLockout=on passwordMaxFailure=3

Then set in each user entry:

     passwordRetryCount: 3  --> number equal to passwordMaxFailure

     retryCountResetTime: 20230929193912Z   --> you must calculate this
value (and use it for these two attributes)

     accountUnlockTime: 20230929193912Z

That works for me.



On 9/29/23 11:40 AM, Cenk Y. wrote:
> Hello,
> We are running 389-ds-base.2.2.7 .
> While creating accounts, sometimes we know until when they need to be
> active. Is there a way to manually set a "expiration date" for the
> account, so after that date nsAccount is set to true?
> Having gone through rhds and 389-ds pages, it seems it's only possible
> to create a policy to deactivate accounts after an inactivity limit.
> I can always create a mechanism myself (such as adding a new attribute
> and checking it by a cron job ...) , but I want to see if there is a
> native way to do this?
> Thanks
> Cenk
> _______________________________________________
> 389-users mailing list --
> To unsubscribe send an email to
> Fedora Code of Conduct:
> List Guidelines:
> List Archives:
> Do not reply to spam, report it:

Directory Server Development Team

No comments:

Post a Comment