Overview#
Locked Account Check is a Policy Decision Point used against the attributes in the pwdPolicy objectClass Type as defined in Draft-behera-ldap-password-policy on How To determine if a Account is Locked.A status of true is returned to indicate that the account is locked if any of these conditions are met:
- The value of the PwdAccountLockedTime attribute is 000001010000Z.
- The current time is less than the value of the PwdStartTime attribute.
- The current time is greater than or equal to the value of the PwdEndTime attribute.
- The current time is greater than or equal to the value of the PwdLastSuccess attribute added to the value of the pwdMaxIdle attribute.
- The current time is less than the value of the pwdAccountLockedTime attribute added to the value of the pwdLockoutDuration.
Otherwise a status of false is returned.