[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd 2.4.13: ppolicy_use_lockout not working as expected



----- "Cyril Grosjean" <cgrosjean@janua.fr> wrote:

> Buchan Milne wrote:
> > ----- "Cyril Grosjean" <cgrosjean@janua.fr> wrote:
> >
> >   
> >> Hello,
> >>
> >> I use the ppolicy overlay and it works fine for all the features
> I've
> >> tested but one:
> >>
> >> I've added the ppolicy_use_lockout parameter in my slapd.conf, but
> I
> >> still get the err=49
> >> invalid credentials error message after 5 unsuccessfull
> >> authentification
> >> attempts (a few
> >> seconds elapse between each attempt)
> >>
> >> I operate slapd 2.4.13 over OpenSuse 10.2
> >>
> >> I can for example expire passwords, reset them or use the password
> >> history feature,
> >> but I can't figure out how to get an "account locked" message
> instead
> >> of
> >> "invalid credentials"
> >> when a user fails to log in more than 5 times.
> >>     
> >
> > Well, you probably actually want them to get a message telling them
> that their password has expired, *before* they get locked out
> (otherwise you need admin intervention anyway).
> >
> >   
> >> I've tested with different ldapsearch versions as well as with
> Apache
> >> LDAP Studio which seems
> >> to use at least some LDAP controls, so I don't think it's a client
> >> side
> >> problem.
> >>     
> >
> > Are you using the '-e ppolicy' option to ldapwhoami or similar ?
> Password policy requires the client to ask for, and interpret the
> password policy controls. So, most likely it *is* a client side
> problem.
> >
> >
> > [...]
> >
> >   
> >> Any clue ?
> >>     
> >
> > Test with ldapwhoami, with the '-e ppolicy' options. If they work
> correctly, then this is not an OpenLDAP issue, and you should ask
> about pam_ldap password policy support on another list (e.g.
> OpenLDAP-technical) which allows pam_ldap questions.
> >
> > Regards,
> > Buchan
> 
> 
> Thank you for all your answers. I understand it's a client problem
> now.
> I haven't tested yet with ldapwhoami, but I will soon. I've only
> tested
> with different versions (Solaris and Linux) of ldapsearch,
> as well as with Apache Directory Studio and didn't find any option
> here
> to deal with the password policy cotnrols .

-e ppolicy should work with ldapsearch as well:

$ ldapsearch --help 2>&1|grep -C8 ppolicy
  -e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
             [!]assert=<filter>     (a RFC 4515 Filter string)
             [!]authzid=<authzid>   ("dn:<dn>" or "u:<user>")
             [!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
                     one of "chainingPreferred", "chainingRequired",
                     "referralsPreferred", "referralsRequired"
             [!]manageDSAit
             [!]noop
             ppolicy
             [!]postread[=<attrs>]  (a comma-separated attribute list)
             [!]preread[=<attrs>]   (a comma-separated attribute list)
             [!]relax
             abandon, cancel, ignore (SIGINT sends abandon/cancel,
             or ignores response; if critical, doesn't wait for SIGINT.
             not really controls)
  -f file    read operations from `file'
  -h host    LDAP server


Regards,
Buchan