[Date Prev][Date Next] [Chronological] [Thread] [Top]

Operational attribute pwdFailureTime not being added to entries



Hello,

First let me thank the gracious folks on this list who have lent their
advice to me on my path towards implementing ppolicy.  I'm making
progress; I can reject new passwords based on password history, and
reject weak passwords.  However, I'm having a bit of a time trying to
get the lockouts to work.  My policy is defined as:

56 cn=Password Policy,ou=Policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: Password Policy
pwdAttribute: userPassword
pwdMaxAge: 3888000
pwdMinLength: 6
pwdExpireWarning: 432000
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
pwdLockout: TRUE
pwdCheckQuality: 1
pwdGraceAuthNLimit: 0
pwdInHistory: 6
pwdLockoutDuration: 60
pwdMaxFailure: 3


However, even after many failure attempts, I see no pwdFailureTime attributes in the offending user's entry:

dn: uid=testuser,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: testuser
sn: testuser
givenName: testuser
uid: testuser
uidNumber: 1009
gidNumber: 513
homeDirectory: /home/testuser
loginShell: /bin/bash
gecos: System User
structuralObjectClass: inetOrgPerson
entryUUID: 42d5971e-7b49-102c-8aae-af676a6dbed9
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20080229193543Z
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-1484159386-3942804292-94657008-3018
sambaPrimaryGroupSID: S-1-5-21-1484159386-3942804292-94657008-513
sambaLogonScript: logon.bat
sambaProfilePath: \\masterldap.example.com\profiles\testuser
sambaHomePath: \\masterldap.example.com\testuser
sambaHomeDrive: H:
pwdHistory: 20080313194326Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}C2DOwhgHFTc
 XmGxRdqlpBUz12eZpRXI4
pwdHistory: 20080313194602Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}AboL9Sp7678
 X2KsPv8sMPE5CC2i6c6LY
pwdHistory: 20080313194626Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}7hUqCecYGvd
 g5bx1ybw71YQcZShicmFk
pwdHistory: 20080313194852Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}E920Fe1PlYV
 Bwjn+rpiOFO8UaiRzZnB6
pwdHistory: 20080313200637Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}hFfD2xFwG/T
 s5PVg3CAIf4i6rkpaZnNM
pwdHistory: 20080313200941Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}/GpzR2wV7dy
 XITeU+5nBpFyTKdgxQzk4
sambaLMPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [U]
sambaNTPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaPwdLastSet: 1205438797
sambaPwdMustChange: 1209326797
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
pwdChangedTime: 20080313200941Z
entryCSN: 20080313200941Z#000000#00#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20080313200941Z


Is the shadowAccount attribute killing me?  I'm not really sure.  Just for completeness, the slapd.conf (abridged) looks like:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/ppolicy.schema
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
modulepath      /usr/lib/openldap
database        bdb
suffix          "dc=example,dc=com"
directory       /var/lib/ldap
rootdn          "cn=admin,dc=example,dc=com"
rootpw          {SSHA}tFEA391Y3ZLHXkQDDk6f0t1ZkJEuMwIj
overlay ppolicy
ppolicy_default "cn=Password Policy,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange
   by   self    write
   by   *       auth
access to *
   by   *       read
moduleload      smbk5pwd.la
index sambaSID                          eq
index sambaPrimaryGroupSID              eq
index sambaDomainName                   eq
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
loglevel -1
sasl-secprops none



As always, thank you for your help.

Best Regards,
Ryan