okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Marisa 2025-10-02 11:03:59 -04:00
parent 30b91263eb
commit 718d2453fa
1 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
README.md
View File

@ -544,7 +544,50 @@ pwdAccountLockedTime: 20251002133529Z
``` ```
The user has been locked out. It cannot do anything using it's user and password. The user has been locked out. It cannot do anything using it's user and password.
If we want to unlock it, to give it a clean slate, create the following file If we want to unlock it, to give it a clean slate, create the following file
```
root@example:/etc/ldap/slapd.d# vim unlock_reimu.ldif
dn: uid=reimu,ou=Supergirls,dc=example,dc=com
changetype: modify
delete: pwdAccountLockedTime
```
Execute the file to unlock the user
```
root@example:/etc/ldap/slapd.d# ldapmodify -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -f unlock_reimu.ldif
modifying entry "uid=reimu,ou=Supergirls,dc=example,dc=com"
```
To understand the pwdFailureTime and pwdAccountLockedTime, before when doing our search we got:\
```
dn: uid=reimu,ou=Supergirls,dc=example,dc=com
pwdFailureTime: 20251002131513.454814Z
pwdFailureTime: 20251002131955.545595Z
pwdFailureTime: 20251002133529.173964Z
pwdAccountLockedTime: 20251002133529Z
```
after running unlock_reimu.ldif, we get:
```
dn: uid=reimu,ou=Supergirls,dc=example,dc=com
```
Let's explain how this password lockout system works in a pragmatic way: reimu it's an user which has attributes (like givenName, displayName, mail, etc.), pwdFailureTime and pwdAccountLockedTime are just attributes too, **except they exist dynamically** by the ppolicy.so module which we previously loaded, and is the one that tracks and enforces schemas and policies.
### <ins>_Setting the blocked time_</ins>
To setup the time a user gets blocked out by any reason (such as entering the wrong password several times like before), we have can create the following file:
```
root@example:/# vim update_locktime_policy.ldif
dn: cn=default,ou=policies,dc=example,dc=com
changetype: modify
replace: pwdLockoutDuration
pwdLockoutDuration: 0
```
pwdLockoutDuration being the ket attribute that sets how much **seconds** the lock out will be enforced. Use the following numbers as reference:
pwdLockoutDuration: 0 #indefinitely until an administrator user unlocks the user manually
pwdLockoutDuration: 300 #the user will be locked out for 5 minutes
pwdLockoutDuration: 86400 #the user will be locked out for 24 hours
To enforce the change, run the .ldif file
```
root@example:/# ldapmodify -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -f update_locktime_policy.ldif
modifying entry "cn=default,ou=policies,dc=example,dc=com"
```
This will apply immediately, meaning that if a user was already locked for 5 minutes **(the default locked out time by openLDAP)**, and we just updated the policy so the lock out would be 0 (indefinitely), when the 5 minutes passes after the user's lock out, the user will be automatically unlocked, the _next time_ it triggers a lock out, the new policy will be enforced, and this time will be locked indefinitely.
<!--ldappasswd -H ldap://server_domain_or_IP -x -D "cn=admin,dc=example,dc=com" -W -S "uid=bob,ou=people,dc=example,dc=com"--> <!--ldappasswd -H ldap://server_domain_or_IP -x -D "cn=admin,dc=example,dc=com" -W -S "uid=bob,ou=people,dc=example,dc=com"-->