[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#7089) ppolicy adds PWDFAILURETIME to organizationalUnit
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#7089) ppolicy adds PWDFAILURETIME to organizationalUnit
- From: noel@debian.org
- Date: Tue, 15 Nov 2011 11:23:13 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Noel Köthe
Version: 2.4.25
OS: Debian GNU/Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (80.187.103.39)
Hello,
using the ppolicy overlay with no special options:
slapd.conf
...
overlay ppolicy
ppolicy_default "cn=ppolicy,dc=domain,dc=lan"
ppolicy_use_lockout
...
cn=ppolicy,dc=domain,dc=lan
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
cn: ppolicy
pwdMaxAge: 2592000
pwdExpireWarning: 3600
pwdMaxFailure: 5
pwdLockout: TRUE
pwdMustChange: TRUE
pwdMinLength: 6
pwdSafeModify: FALSE
pwdAttribute: userPassword
I'm scanning the LDAP data for PWDFAILURETIME attributes from time to time and
found the following ou with this attribute (slapcat output):
dn: ou=test,dc=domain,dc=lan
objectClass: organizationalUnit
ou: test
structuralObjectClass: organizationalUnit
entryUUID: ad5a6bc6-8a9c-1030-810d-db1b7d10e7b5
creatorsName: cn=admin,dc=domain,dc=lan
createTimestamp: 20111014104028Z
PWDFAILURETIME: 20111115101034Z
PWDFAILURETIME: 20111115101036Z
PWDFAILURETIME: 20111115101039Z
PWDFAILURETIME: 20111115111624Z
PWDFAILURETIME: 20111115111629Z
PWDACCOUNTLOCKEDTIME: 20111115111629Z
entryCSN: 20111115111629.327963Z#000000#000#000000
modifiersName: cn=admin,dc=domain,dc=lan
modifyTimestamp: 20111115111629Z
The PWDFAILURETIME on an organizationalUnit were created by:
$ ldapsearch -x -W -D ou=test,dc=domain,dc=lan
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
IMHO it is a bug that the ppolicy adds the PWDFAILURETIME attribute to DN's
which don't have a userPassword attribute and cannot get one.
Do you aggree?
Thanks for your answer.
Regards
Noel Köthe