diff --git a/README.md b/README.md index dac19fa..e6452aa 100644 --- a/README.md +++ b/README.md @@ -544,7 +544,50 @@ pwdAccountLockedTime: 20251002133529Z ``` The user has been locked out. It cannot do anything using it's user and password. If we want to unlock it, to give it a clean slate, create the following file +``` +root@example:/etc/ldap/slapd.d# vim unlock_reimu.ldif +dn: uid=reimu,ou=Supergirls,dc=example,dc=com +changetype: modify +delete: pwdAccountLockedTime +``` +Execute the file to unlock the user +``` +root@example:/etc/ldap/slapd.d# ldapmodify -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -f unlock_reimu.ldif +modifying entry "uid=reimu,ou=Supergirls,dc=example,dc=com" +``` +To understand the pwdFailureTime and pwdAccountLockedTime, before when doing our search we got:\ +``` +dn: uid=reimu,ou=Supergirls,dc=example,dc=com +pwdFailureTime: 20251002131513.454814Z +pwdFailureTime: 20251002131955.545595Z +pwdFailureTime: 20251002133529.173964Z +pwdAccountLockedTime: 20251002133529Z +``` +after running unlock_reimu.ldif, we get: +``` +dn: uid=reimu,ou=Supergirls,dc=example,dc=com +``` +Let's explain how this password lockout system works in a pragmatic way: reimu it's an user which has attributes (like givenName, displayName, mail, etc.), pwdFailureTime and pwdAccountLockedTime are just attributes too, **except they exist dynamically** by the ppolicy.so module which we previously loaded, and is the one that tracks and enforces schemas and policies. +### _Setting the blocked time_ +To setup the time a user gets blocked out by any reason (such as entering the wrong password several times like before), we have can create the following file: +``` +root@example:/# vim update_locktime_policy.ldif +dn: cn=default,ou=policies,dc=example,dc=com +changetype: modify +replace: pwdLockoutDuration +pwdLockoutDuration: 0 +``` +pwdLockoutDuration being the ket attribute that sets how much **seconds** the lock out will be enforced. Use the following numbers as reference: +pwdLockoutDuration: 0 #indefinitely until an administrator user unlocks the user manually +pwdLockoutDuration: 300 #the user will be locked out for 5 minutes +pwdLockoutDuration: 86400 #the user will be locked out for 24 hours +To enforce the change, run the .ldif file +``` +root@example:/# ldapmodify -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -f update_locktime_policy.ldif +modifying entry "cn=default,ou=policies,dc=example,dc=com" +``` +This will apply immediately, meaning that if a user was already locked for 5 minutes **(the default locked out time by openLDAP)**, and we just updated the policy so the lock out would be 0 (indefinitely), when the 5 minutes passes after the user's lock out, the user will be automatically unlocked, the _next time_ it triggers a lock out, the new policy will be enforced, and this time will be locked indefinitely. \ No newline at end of file