[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap password policy not throwing different errors



Am Sun, 5 Jan 2014 15:13:51 +0000
schrieb Idan Fridman <idanf@cellebrite.com>:

> 
> Hi,
> 
> I use ppolicy overlay and enabled ppolicy_use_lockout to separate
> between invalid password and locked accounts.
> 
>     database    bdb
>     suffix      "dc=openiam,dc=com"
>     rootdn      "cn=Manager,dc=openiam,dc=com"
>     rootpw      "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h"
>     # PPolicy Configuration
>     overlay ppolicy
>     ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com"
>     ppolicy_use_lockout
>     ppolicy_hash_cleartext
> 
> I tried to lock user account by entering wrong password couple of
> times (pwdMaxFailure)
> 
> The user is being locked but when I try to login again I still get
> the same error:
> 
> Invalid credentials (49)
> 
> Any idea why i am not getting diffrent error to disticnt between the
> cases?

1. there is no appropriate result message for password policy. RFC 4511
Section 4.1.9  defines all result messages and Appendix A provides in
brief a general description.  
2. In your particular case result 49 is a substitution in order to
prevent an unauthorized disclosure.


-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E