okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Marisa 2025-10-02 11:03:59 -04:00
parent 30b91263eb
commit 718d2453fa
1 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
README.md
View File

@ -544,7 +544,50 @@ pwdAccountLockedTime: 20251002133529Z
```
The user has been locked out. It cannot do anything using it's user and password.
If we want to unlock it, to give it a clean slate, create the following file
```
root@example:/etc/ldap/slapd.d# vim unlock_reimu.ldif
dn: uid=reimu,ou=Supergirls,dc=example,dc=com
changetype: modify
delete: pwdAccountLockedTime
```
Execute the file to unlock the user
```
root@example:/etc/ldap/slapd.d# ldapmodify -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -f unlock_reimu.ldif
modifying entry "uid=reimu,ou=Supergirls,dc=example,dc=com"
```
To understand the pwdFailureTime and pwdAccountLockedTime, before when doing our search we got:\
```
dn: uid=reimu,ou=Supergirls,dc=example,dc=com
pwdFailureTime: 20251002131513.454814Z
pwdFailureTime: 20251002131955.545595Z
pwdFailureTime: 20251002133529.173964Z
pwdAccountLockedTime: 20251002133529Z
```
after running unlock_reimu.ldif, we get:
```
dn: uid=reimu,ou=Supergirls,dc=example,dc=com
```
Let's explain how this password lockout system works in a pragmatic way: reimu it's an user which has attributes (like givenName, displayName, mail, etc.), pwdFailureTime and pwdAccountLockedTime are just attributes too, **except they exist dynamically** by the ppolicy.so module which we previously loaded, and is the one that tracks and enforces schemas and policies.
### <ins>_Setting the blocked time_</ins>
To setup the time a user gets blocked out by any reason (such as entering the wrong password several times like before), we have can create the following file:
```
root@example:/# vim update_locktime_policy.ldif
dn: cn=default,ou=policies,dc=example,dc=com
changetype: modify
replace: pwdLockoutDuration
pwdLockoutDuration: 0
```
pwdLockoutDuration being the ket attribute that sets how much **seconds** the lock out will be enforced. Use the following numbers as reference:
pwdLockoutDuration: 0 #indefinitely until an administrator user unlocks the user manually
pwdLockoutDuration: 300 #the user will be locked out for 5 minutes
pwdLockoutDuration: 86400 #the user will be locked out for 24 hours
To enforce the change, run the .ldif file
```
root@example:/# ldapmodify -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -f update_locktime_policy.ldif
modifying entry "cn=default,ou=policies,dc=example,dc=com"
```
This will apply immediately, meaning that if a user was already locked for 5 minutes **(the default locked out time by openLDAP)**, and we just updated the policy so the lock out would be 0 (indefinitely), when the 5 minutes passes after the user's lock out, the user will be automatically unlocked, the _next time_ it triggers a lock out, the new policy will be enforced, and this time will be locked indefinitely.
<!--ldappasswd -H ldap://server_domain_or_IP -x -D "cn=admin,dc=example,dc=com" -W -S "uid=bob,ou=people,dc=example,dc=com"-->