[Date Prev][Date Next] [Chronological] [Thread] [Top]

Operational attribute pwdFailureTime not being added to entries

To: openldap-software@openldap.org
Subject: Operational attribute pwdFailureTime not being added to entries
From: Ryan Steele <rsteele@archer-group.com>
Date: Thu, 13 Mar 2008 18:11:57 -0400
User-agent: Thunderbird 2.0.0.12 (Windows/20080213)

Hello,

First let me thank the gracious folks on this list who have lent their
advice to me on my path towards implementing ppolicy.  I'm making
progress; I can reject new passwords based on password history, and
reject weak passwords.  However, I'm having a bit of a time trying to
get the lockouts to work.  My policy is defined as:

56 cn=Password Policy,ou=Policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: Password Policy
pwdAttribute: userPassword
pwdMaxAge: 3888000
pwdMinLength: 6
pwdExpireWarning: 432000
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
pwdLockout: TRUE
pwdCheckQuality: 1
pwdGraceAuthNLimit: 0
pwdInHistory: 6
pwdLockoutDuration: 60
pwdMaxFailure: 3


However, even after many failure attempts, I see no pwdFailureTime attributes in the offending user's entry:

dn: uid=testuser,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: testuser
sn: testuser
givenName: testuser
uid: testuser
uidNumber: 1009
gidNumber: 513
homeDirectory: /home/testuser
loginShell: /bin/bash
gecos: System User
structuralObjectClass: inetOrgPerson
entryUUID: 42d5971e-7b49-102c-8aae-af676a6dbed9
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20080229193543Z
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-1484159386-3942804292-94657008-3018
sambaPrimaryGroupSID: S-1-5-21-1484159386-3942804292-94657008-513
sambaLogonScript: logon.bat
sambaProfilePath: \\masterldap.example.com\profiles\testuser
sambaHomePath: \\masterldap.example.com\testuser
sambaHomeDrive: H:
pwdHistory: 20080313194326Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}C2DOwhgHFTc
 XmGxRdqlpBUz12eZpRXI4
pwdHistory: 20080313194602Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}AboL9Sp7678
 X2KsPv8sMPE5CC2i6c6LY
pwdHistory: 20080313194626Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}7hUqCecYGvd
 g5bx1ybw71YQcZShicmFk
pwdHistory: 20080313194852Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}E920Fe1PlYV
 Bwjn+rpiOFO8UaiRzZnB6
pwdHistory: 20080313200637Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}hFfD2xFwG/T
 s5PVg3CAIf4i6rkpaZnNM
pwdHistory: 20080313200941Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}/GpzR2wV7dy
 XITeU+5nBpFyTKdgxQzk4
sambaLMPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [U]
sambaNTPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaPwdLastSet: 1205438797
sambaPwdMustChange: 1209326797
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
pwdChangedTime: 20080313200941Z
entryCSN: 20080313200941Z#000000#00#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20080313200941Z


Is the shadowAccount attribute killing me?  I'm not really sure.  Just for completeness, the slapd.conf (abridged) looks like:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/ppolicy.schema
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
modulepath      /usr/lib/openldap
database        bdb
suffix          "dc=example,dc=com"
directory       /var/lib/ldap
rootdn          "cn=admin,dc=example,dc=com"
rootpw          {SSHA}tFEA391Y3ZLHXkQDDk6f0t1ZkJEuMwIj
overlay ppolicy
ppolicy_default "cn=Password Policy,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange
   by   self    write
   by   *       auth
access to *
   by   *       read
moduleload      smbk5pwd.la
index sambaSID                          eq
index sambaPrimaryGroupSID              eq
index sambaDomainName                   eq
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
loglevel -1
sasl-secprops none



As always, thank you for your help.

Best Regards,
Ryan

Follow-Ups:
- Re: Operational attribute pwdFailureTime not being added to entries
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: New error (ldap_get_values_len returns NULL)
Next by Date: Re: syncrepl not syncing [ CSN older or equal to ctx ]
Index(es):
- Chronological
- Thread