On 10/2/23 4:13 AM, Cenk Y. wrote:
Hi Mark, thanks for the response.
We already use password lockout plugin, but what I need is the opposite.
I want to
* Create an account, activate it* Set an expiration date, so that after that date account is locked.
I agree with Mark, password base expiration is likely not what you are looking for (because of reset).
Before opening a RFE, you may check if the account policy plugin may match you need https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/account-policy-plugin
Yeah there is no way to "lock" an account that way. You can set the password to expire, but its not the same thing and a password reset will bump that expiration time anyway.
Please file an RFE for this feature, but it could take some time until it's implemented.
On Fri, Sep 29, 2023 at 9:50 PM Mark Reynolds <firstname.lastname@example.org> wrote:
Actually, I was wrong there is more you need to do.
You need to enable account lockout and set a max failure count:
# dsconf slapd-INSTANCE config set passwordLockout=on passwordMaxFailure=3
Then set in each user entry:
passwordRetryCount: 3 --> number equal to passwordMaxFailure
retryCountResetTime: 20230929193912Z --> you must calculate this
value (and use it for these two attributes)
That works for me.
On 9/29/23 11:40 AM, Cenk Y. wrote:
> We are running 389-ds-base.2.2.7 .
> While creating accounts, sometimes we know until when they need to be
> active. Is there a way to manually set a "expiration date" for the
> account, so after that date nsAccount is set to true?
> Having gone through rhds and 389-ds pages, it seems it's only possible
> to create a policy to deactivate accounts after an inactivity limit.
> I can always create a mechanism myself (such as adding a new attribute
> and checking it by a cron job ...) , but I want to see if there is a
> native way to do this?
> 389-users mailing list -- email@example.com
> To unsubscribe send an email to firstname.lastname@example.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://email@example.com
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Directory Server Development Team
-- Directory Server Development Team
_______________________________________________ 389-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to email@example.com Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://firstname.lastname@example.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue