[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Account Locked message?
Hello. I've been working on a system with low security requirement and
high usability requirement. I uses ppolicy overlay and enabled
ppolicy_use_lockout to avoid people gets confused when they failed to
login too many times:
suffix "st=jiangxi,o=LGOP"
rootdn "userid=admin,st=jiangxi,o=LGOP"
rootpw [...]
overlay ppolicy
ppolicy_default "st=jiangxi,o=LGOP"
ppolicy_use_lockout
Restart openldap server and test again by trying to bind with the wrong
password enough times (in my case, 20 times). Then try to bind with the
right password:
ldapsearch -H ldap://gtz.ods.org/ -xD ou=æèç,st=jiangxi,o=LGOP -W
ou=*äå* areacode
ldap_bind: Invalid credentials (49)
Here I still got error 49. I thought I could get something like "Account
Locked" and a different error code. According to man page:
ppolicy_use_lockout
A client will always receive an LDAP InvalidCredentials response
when Binding to a locked account. By default, when a Password
Policy control was provided on the Bind request, a Password Polâ
icy response will be included with no special error code set.
This option changes the Password Policy response to include the
AccountLocked error code. Note that sending the AccountLocked
error code provides useful information to an attacker; sites
that are sensitive to security issues should not enable this
option.
Well I checked related RFC (http://www.ietf.org/rfc/rfc4511.txt) and
didn't find "Account Locked error code". In fact,
http://www.willeke.com:9080/wikildap/Wiki.jsp?page=LDAPResultCodes
listed a list of error code, non of them is "Account Locked" error code.
My questions:
Is my setting working? How can I tell? The web application needs to tell
if an account is locked, this to improve user usability;
Thanks a lot in advance!
Best regards
Zhang Weiwu
--
Real Softservice
Huateng Tower, Unit 1788
Jia 302 3rd area of Jinsong, Chao Yang
Tel: +86 (10) 8773 0650 ext 603
Mobile: 135 9950 2413
http://www.realss.com