[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd 2.4.13: ppolicy_use_lockout not working as expected
Buchan Milne wrote:
> ----- "Cyril Grosjean" <cgrosjean@janua.fr> wrote:
>
>
>> Hello,
>>
>> I use the ppolicy overlay and it works fine for all the features I've
>> tested but one:
>>
>> I've added the ppolicy_use_lockout parameter in my slapd.conf, but I
>> still get the err=49
>> invalid credentials error message after 5 unsuccessfull
>> authentification
>> attempts (a few
>> seconds elapse between each attempt)
>>
>> I operate slapd 2.4.13 over OpenSuse 10.2
>>
>> I can for example expire passwords, reset them or use the password
>> history feature,
>> but I can't figure out how to get an "account locked" message instead
>> of
>> "invalid credentials"
>> when a user fails to log in more than 5 times.
>>
>
> Well, you probably actually want them to get a message telling them that their password has expired, *before* they get locked out (otherwise you need admin intervention anyway).
>
>
>> I've tested with different ldapsearch versions as well as with Apache
>> LDAP Studio which seems
>> to use at least some LDAP controls, so I don't think it's a client
>> side
>> problem.
>>
>
> Are you using the '-e ppolicy' option to ldapwhoami or similar ? Password policy requires the client to ask for, and interpret the password policy controls. So, most likely it *is* a client side problem.
>
>
> [...]
>
>
>> Any clue ?
>>
>
> Test with ldapwhoami, with the '-e ppolicy' options. If they work correctly, then this is not an OpenLDAP issue, and you should ask about pam_ldap password policy support on another list (e.g. OpenLDAP-technical) which allows pam_ldap questions.
>
> Regards,
> Buchan
Thank you for all your answers. I understand it's a client problem now.
I haven't tested yet with ldapwhoami, but I will soon. I've only tested
with different versions (Solaris and Linux) of ldapsearch,
as well as with Apache Directory Studio and didn't find any option here
to deal with the password policy cotnrols .