[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd 2.4.13: ppolicy_use_lockout not working as expected
----- "Cyril Grosjean" <cgrosjean@janua.fr> wrote:
> Buchan Milne wrote:
> > ----- "Cyril Grosjean" <cgrosjean@janua.fr> wrote:
> >
> >
> >> Hello,
> >>
> >> I use the ppolicy overlay and it works fine for all the features
> I've
> >> tested but one:
> >>
> >> I've added the ppolicy_use_lockout parameter in my slapd.conf, but
> I
> >> still get the err=49
> >> invalid credentials error message after 5 unsuccessfull
> >> authentification
> >> attempts (a few
> >> seconds elapse between each attempt)
> >>
> >> I operate slapd 2.4.13 over OpenSuse 10.2
> >>
> >> I can for example expire passwords, reset them or use the password
> >> history feature,
> >> but I can't figure out how to get an "account locked" message
> instead
> >> of
> >> "invalid credentials"
> >> when a user fails to log in more than 5 times.
> >>
> >
> > Well, you probably actually want them to get a message telling them
> that their password has expired, *before* they get locked out
> (otherwise you need admin intervention anyway).
> >
> >
> >> I've tested with different ldapsearch versions as well as with
> Apache
> >> LDAP Studio which seems
> >> to use at least some LDAP controls, so I don't think it's a client
> >> side
> >> problem.
> >>
> >
> > Are you using the '-e ppolicy' option to ldapwhoami or similar ?
> Password policy requires the client to ask for, and interpret the
> password policy controls. So, most likely it *is* a client side
> problem.
> >
> >
> > [...]
> >
> >
> >> Any clue ?
> >>
> >
> > Test with ldapwhoami, with the '-e ppolicy' options. If they work
> correctly, then this is not an OpenLDAP issue, and you should ask
> about pam_ldap password policy support on another list (e.g.
> OpenLDAP-technical) which allows pam_ldap questions.
> >
> > Regards,
> > Buchan
>
>
> Thank you for all your answers. I understand it's a client problem
> now.
> I haven't tested yet with ldapwhoami, but I will soon. I've only
> tested
> with different versions (Solaris and Linux) of ldapsearch,
> as well as with Apache Directory Studio and didn't find any option
> here
> to deal with the password policy cotnrols .
-e ppolicy should work with ldapsearch as well:
$ ldapsearch --help 2>&1|grep -C8 ppolicy
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (a RFC 4515 Filter string)
[!]authzid=<authzid> ("dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit
[!]noop
ppolicy
[!]postread[=<attrs>] (a comma-separated attribute list)
[!]preread[=<attrs>] (a comma-separated attribute list)
[!]relax
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-f file read operations from `file'
-h host LDAP server
Regards,
Buchan