views:

576

answers:

2

I'm developing an application using Java, Tomcat, Spring Framework and Spring LDAP 1.2.1 for LDAP access.

According to our LDAP administrator, it is not possible to find out programmatically, if a specific user is locked out in the directory - the user is just not returned. This makes life difficult for me, as I need to identify locked out users.

Is our administrator right, or is it possible somehow to find out, if a particular user is locked out? If yes, how?

+2  A: 

I'll answer myself: turns out there is an attribute nsaccountlock, which can be used for this purpose. Binding with the locked out user is not possible, but searching is.

+1  A: 

the passwordretryount attribute also suggests if an account is locked or not. Typically, the LDAP is configured to allow up to 3 login attempts. If all 3 attempts failed, the paswordretrycount will be set to 3. Having a value of 0 means the account is not locked.

getty