[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd 2.4.13: ppolicy_use_lockout not working as expected



Sorry, I did not know that option and had never used it.
Now I confirm it works fine with ldapsearch.

I have also successfully tested it with ldapwhoami.
The "-e" option works fine as well with the ldapwhoami command from Suse
10.2 , but it didn't appear in my man pages,
I can just see it with the "-h" option .

Thank you for your support .

Buchan Milne wrote:
> ----- "Cyril Grosjean" <cgrosjean@janua.fr> wrote:
>
>   
>> Buchan Milne wrote:
>>     
>>> ----- "Cyril Grosjean" <cgrosjean@janua.fr> wrote:
>>>
>>>   
>>>       
>>>> Hello,
>>>>
>>>> I use the ppolicy overlay and it works fine for all the features
>>>>         
>> I've
>>     
>>>> tested but one:
>>>>
>>>> I've added the ppolicy_use_lockout parameter in my slapd.conf, but
>>>>         
>> I
>>     
>>>> still get the err=49
>>>> invalid credentials error message after 5 unsuccessfull
>>>> authentification
>>>> attempts (a few
>>>> seconds elapse between each attempt)
>>>>
>>>> I operate slapd 2.4.13 over OpenSuse 10.2
>>>>
>>>> I can for example expire passwords, reset them or use the password
>>>> history feature,
>>>> but I can't figure out how to get an "account locked" message
>>>>         
>> instead
>>     
>>>> of
>>>> "invalid credentials"
>>>> when a user fails to log in more than 5 times.
>>>>     
>>>>         
>>> Well, you probably actually want them to get a message telling them
>>>       
>> that their password has expired, *before* they get locked out
>> (otherwise you need admin intervention anyway).
>>     
>>>   
>>>       
>>>> I've tested with different ldapsearch versions as well as with
>>>>         
>> Apache
>>     
>>>> LDAP Studio which seems
>>>> to use at least some LDAP controls, so I don't think it's a client
>>>> side
>>>> problem.
>>>>     
>>>>         
>>> Are you using the '-e ppolicy' option to ldapwhoami or similar ?
>>>       
>> Password policy requires the client to ask for, and interpret the
>> password policy controls. So, most likely it *is* a client side
>> problem.
>>     
>>> [...]
>>>
>>>   
>>>       
>>>> Any clue ?
>>>>     
>>>>         
>>> Test with ldapwhoami, with the '-e ppolicy' options. If they work
>>>       
>> correctly, then this is not an OpenLDAP issue, and you should ask
>> about pam_ldap password policy support on another list (e.g.
>> OpenLDAP-technical) which allows pam_ldap questions.
>>     
>>> Regards,
>>> Buchan
>>>       
>> Thank you for all your answers. I understand it's a client problem
>> now.
>> I haven't tested yet with ldapwhoami, but I will soon. I've only
>> tested
>> with different versions (Solaris and Linux) of ldapsearch,
>> as well as with Apache Directory Studio and didn't find any option
>> here
>> to deal with the password policy cotnrols .
>>     
>
> -e ppolicy should work with ldapsearch as well:
>
> $ ldapsearch --help 2>&1|grep -C8 ppolicy
>   -e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
>              [!]assert=<filter>     (a RFC 4515 Filter string)
>              [!]authzid=<authzid>   ("dn:<dn>" or "u:<user>")
>              [!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
>                      one of "chainingPreferred", "chainingRequired",
>                      "referralsPreferred", "referralsRequired"
>              [!]manageDSAit
>              [!]noop
>              ppolicy
>              [!]postread[=<attrs>]  (a comma-separated attribute list)
>              [!]preread[=<attrs>]   (a comma-separated attribute list)
>              [!]relax
>              abandon, cancel, ignore (SIGINT sends abandon/cancel,
>              or ignores response; if critical, doesn't wait for SIGINT.
>              not really controls)
>   -f file    read operations from `file'
>   -h host    LDAP server
>
>
> Regards,
> Buchan
>
>