Ankur Agarwal wrote:
The attribute accountUnlockTime gets set to a generalized timestamp. Depending on your policy it will either be the time when the user is due to be unlocked, or the magic timestamp 19700101000000Z if he's locked out forever.
It's operational and needs to be requested if searched:
ldapsearch [-x] -D "cn=directory manager" -w <password> -b <user's DN> "(objectclass=*)" accountunlocktime
The LDAP result code is 53 (DSA unwilling to perform) when an inactivated user tries to bind. There's also some status text, "Account inactivated. Contact system administrator."
In the case where the user is locked out due to incorrect passwords the code is 19 (constraint violation) with status text of "Exceed retry limit. Contact system administrator to reset."
You can verify the output and result code with ldapsearch:
ldapsearch [-x] -D <inactivated or locked user's DN> -w <password> -s base -b "" "(objectclass=*)"