[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd 2.4.13: ppolicy_use_lockout not working as expected
Sorry, I did not know that option and had never used it.
Now I confirm it works fine with ldapsearch.
I have also successfully tested it with ldapwhoami.
The "-e" option works fine as well with the ldapwhoami command from Suse
10.2 , but it didn't appear in my man pages,
I can just see it with the "-h" option .
Thank you for your support .
Buchan Milne wrote:
> ----- "Cyril Grosjean" <cgrosjean@janua.fr> wrote:
>
>
>> Buchan Milne wrote:
>>
>>> ----- "Cyril Grosjean" <cgrosjean@janua.fr> wrote:
>>>
>>>
>>>
>>>> Hello,
>>>>
>>>> I use the ppolicy overlay and it works fine for all the features
>>>>
>> I've
>>
>>>> tested but one:
>>>>
>>>> I've added the ppolicy_use_lockout parameter in my slapd.conf, but
>>>>
>> I
>>
>>>> still get the err=49
>>>> invalid credentials error message after 5 unsuccessfull
>>>> authentification
>>>> attempts (a few
>>>> seconds elapse between each attempt)
>>>>
>>>> I operate slapd 2.4.13 over OpenSuse 10.2
>>>>
>>>> I can for example expire passwords, reset them or use the password
>>>> history feature,
>>>> but I can't figure out how to get an "account locked" message
>>>>
>> instead
>>
>>>> of
>>>> "invalid credentials"
>>>> when a user fails to log in more than 5 times.
>>>>
>>>>
>>> Well, you probably actually want them to get a message telling them
>>>
>> that their password has expired, *before* they get locked out
>> (otherwise you need admin intervention anyway).
>>
>>>
>>>
>>>> I've tested with different ldapsearch versions as well as with
>>>>
>> Apache
>>
>>>> LDAP Studio which seems
>>>> to use at least some LDAP controls, so I don't think it's a client
>>>> side
>>>> problem.
>>>>
>>>>
>>> Are you using the '-e ppolicy' option to ldapwhoami or similar ?
>>>
>> Password policy requires the client to ask for, and interpret the
>> password policy controls. So, most likely it *is* a client side
>> problem.
>>
>>> [...]
>>>
>>>
>>>
>>>> Any clue ?
>>>>
>>>>
>>> Test with ldapwhoami, with the '-e ppolicy' options. If they work
>>>
>> correctly, then this is not an OpenLDAP issue, and you should ask
>> about pam_ldap password policy support on another list (e.g.
>> OpenLDAP-technical) which allows pam_ldap questions.
>>
>>> Regards,
>>> Buchan
>>>
>> Thank you for all your answers. I understand it's a client problem
>> now.
>> I haven't tested yet with ldapwhoami, but I will soon. I've only
>> tested
>> with different versions (Solaris and Linux) of ldapsearch,
>> as well as with Apache Directory Studio and didn't find any option
>> here
>> to deal with the password policy cotnrols .
>>
>
> -e ppolicy should work with ldapsearch as well:
>
> $ ldapsearch --help 2>&1|grep -C8 ppolicy
> -e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
> [!]assert=<filter> (a RFC 4515 Filter string)
> [!]authzid=<authzid> ("dn:<dn>" or "u:<user>")
> [!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
> one of "chainingPreferred", "chainingRequired",
> "referralsPreferred", "referralsRequired"
> [!]manageDSAit
> [!]noop
> ppolicy
> [!]postread[=<attrs>] (a comma-separated attribute list)
> [!]preread[=<attrs>] (a comma-separated attribute list)
> [!]relax
> abandon, cancel, ignore (SIGINT sends abandon/cancel,
> or ignores response; if critical, doesn't wait for SIGINT.
> not really controls)
> -f file read operations from `file'
> -h host LDAP server
>
>
> Regards,
> Buchan
>
>