Which LDAP attribute is modified when User account gets locked?

When a user account gets locked in an LDAP server which LDAP standard开发者_运维技巧 attribute is being modified? Is that standard LDAP one or specific to the server (i.e. Active Director/ Novell etc)?

There is a very old draft , but I do not think any work has been done on this in some time. Also, Sun and UnboundID directory server support the Account Usable request and response controls.

Check the User-Account-Control Attribute, described here: http://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx

The draft Terry Gardner referred to is mostly implemented in OpenLDAP, so if that's what you're using that covers it. Specifically the attribute is pwdLockedTime. It is either absent or set to the time the account was locked. It is an operational attribute so you have to request it specifically or via "+".