IDP v3 - OpenLDAP password policy - locked account

Cantor, Scott cantor.2 at
Tue May 19 13:40:25 EDT 2015

On 5/19/15, 12:50 PM, "Emilio Penna" <emilio.penna at> wrote:
>I saw some messages in idp source, referred to locked accounts
>(, so I think that it could be possible to
>inform the user of locked accounts.

Daniel put some comments in the bottom of the ldap-authn-config file that are a little difficult to parse but it describes how to add beans to add the password policy features from ldaptive into the wiring.

When that stuff is wired in, the LDAP validator will pass the results it gets into the message clasification rules in password-authn-config to classify different messages as specific events. If something is mapped to AccountLocked, then it will run the empty user flow authn/conditions/account-locked and then pass control back to the form. By default nothing maps to that and it will never do that.

Fundamentally it has nothing to do with LDAP, the machinery that maps error or exception text to events works in all the login flows, but the LDAP one specifically has features for pulling supplemental material from the LDAP response.

The user flows in flows/authn/conditions are undocumented right now, they're empty "just return" subflows that can be customized to do work in response to authentication events like an expiring password, without having to customize any of the system-delivered flows.

-- Scott

More information about the users mailing list