OpenLDAP: Can I set pwdAccountLockedTime in the future?

Question

With OpenLDAP and the ppolicy overlay, one way to disable a user account is by setting the pwdAccountLockedTime. However, is it allowed to set this value to a future date so users account automatically expires?

From the tests I ran, this looks OK with OpenLDAP 2.6, but fails sometimes with OpenLDAP 2.4. I could not read anything in the password-policy reference, nor the ppolicy overlay documentation about this being either allowed or prevented.

Related links:

• https://www.ietf.org/archive/id/draft-behera-ldap-password-policy-11.html
• https://www.zytrax.com/books/ldap/ch6/ppolicy.html

Answer 1

There are some clues in the OpenLDAP mailing list:

• This thread from 2009

  You can use ppolicy pwdAccountLockedTime attribute to 000001010000Z value to make all bind operation fails, but using an external mean, such as a cron task, as it is impossible to set a date in the future and hope ppolicy will start honours it once this time is reached.

• This thread from 2018

  pwdAccountLockedTime is an operational attribute used by the server to record when the password was actually locked. It does not mean 'lock the account at this time'. In OpenLDAP the mere presence of this attribute in an entry locks the password.

Since 2.5 OpenLDAP implements the pwdEndTime that can be used in that situation:

This attribute specifies the time the entry's password becomes invalid for authentication. Authentication attempts made after this time will fail, regardless of expiration or grace settings. If this attribute does not exist, then this restriction does not apply.

Related SO question: How to set account expiry date in openldap