...
The user account in the external directory has the following new settings:
| Setting | Description |
|---|---|
| ubiloginAccountControl: cant-change-credentials | If multi valued attribute "ubiloginAccountControl" is added with value "cant-change-credentials", the user can not change his/her password from UAS. |
| ubiloginAccountControl: dont-expire-credentials | If multi valued attribute "ubiloginAccountControl" is added with value "dont-expire-credentials", the user's password will not expire and setting "policy.password.max-age" is ignored. |
| ubiloginPasswordLastSet: 0 | If attribute "ubiloginPasswordLastSet" is set to value "0", then the user has to change password at next login. |
| ubiloginNotBefore: | The time before which the user account is disabled and can not be used. Timestamp is given in milliseconds after Epoch. |
| ubiloginNotOnOrAfter: | The time after which the user account is disabled and can not be used. Timestamp is given in milliseconds after Epoch. |
| ubiloginEnabled: | The account can be disabled by setting this attribute value to "FALSE". Default value is "TRUE". |
| ubiloginBadLogonCount: | The systems keeps count of bad logons in this attribute. If this count exceeds the value in setting policy.lockout.threshold, the user account is locked. The administrator may cancel this locking by setting this attribute value to 0. |
Updating the External Directory Schema
The external directory needs a schema update that will install a new auxiliary class "ubiloginAccount" to directory. The user objects used with external directory password policies have to include this class.
How the schema is updated depends on the specific LDAP server. Ubisecure distributes schema files for AD LDS (Adam) and OpenLDAP. Other LDAP directories may use the OpenLDAP schema file in as an example.
- On AD LDS, import the file
adam.ubilogin-account.schema. - On OpenLDAP, import the file
openldap.ubilogin-account.schema.
The user objects then should be updated to include this new auxiliary class.
...