Administratively Locked User Accounts and the Forgotten Password Module
stm0...@gmail.com
we use PWM 1.8.0-SNAPSHOT, pwmBuild=15577458 in a productive environment with OpenLDAP 2.4.30 on Solaris 11.3.13.4.0 to offer our users a self-service tool for changing their passwords, for re-setting a forgotten password and to find out their user names in case they got lost. So far we are very content with this software!
From time to time, we have to administratively lock user accounts for a certain amount of time. We can typically do that in two ways:
a) by changing the password hash ("userPassword" attribute in LDAP) to an invalid string,
b) by setting the operational attribute "pwdAccountLockedTime" in the user's LDAP record to "000001010000Z".
Both ways are, for example, supported by the LDAP Account Manager (LAM) which we use and both ways prevent a successful LDAP bind of the locked user account.
The problem is: Both methods are "incompatible" with PWM's "Forgotten Password" module. In both cases, users locked on purpose can reset their passwords and regain access to our platform. If we locked the user's account by applying method a), the invalid hash would be just overwritten. If we locked the user's account by applying method b), the new password would be set by PWM and the attribute "pwdAccountLockedTime" would be even removed.
This renders both locking methods useless as users can easily circumvent them.
Therefore my question: What is the suggested way to tell PWM that a specific user record is currently administratively locked and is not allowed to reset his/her password?
Note: I do not necessarily need to prevent locked users from re-setting their passwords, but locked accounts should stay locked until they are unlocked by on of the administrators.
I would be very glad to get any helpful hints. Thank you very much in advance!
Kind regards,
Steffen