https://bugs.openldap.org/show_bug.cgi?id=9156
--- Comment #10 from Ondřej Kuzník ondra@mistotebe.net --- On Thu, Apr 09, 2020 at 02:41:54PM +0000, openldap-its@openldap.org wrote:
The problem was that I was using old lastbind overlay, which in some way was in conflict with current lastbind. If I understand correctly, the current lastbind is now completely included into OpenLDAP 2.5?
No, features you might want to configure lastbind with do not (yet) have an equivalent in the core implementation, so I haven't removed it from 2.5 yet.
It is very important to me, because as a maintainer of OpenLDAP-LTB, we would have to warn people that the configuration parameters have changed (overlay lastbind -> lastbind on) and that the overlay won't be provided any more.
- pwdStartTime, pwdEndTime: OK, but there is no special ppolicy code returned,
and if I read correctly the draft (https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.1), an "accountLocked" extended error code should be triggered.
I was simply missing the ppolicy_use_lockout parameter. One remark though: the reason of locking is not very explicit. I understand that many companies/organizations will consider it is a good thing to hide this information for security reasons. For the others, maybe could we have some sort of level? Configuration example: lockout_message_description [none|minimal|verbose]
The message is output by the client, the only information provided is the ppolicy response control: https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-6.2
(or rather https://git.openldap.org/openldap/openldap/-/blob/master/doc/drafts/draft-be...)
Providing any more information would need to be integrated into the draft as well.
In the specification the extended error code could simply stay as it is: "(1)Account locked", but we could add a more precise description in case the verbose mode is enabled: "(1)Account locked (account unused for a too long time)"