Full_Name: Mihai Munteanu Version: 2.4.44 OS: CentOS7 x64 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (86.12.190.162)
Scenario: 0. we have configured that after 3 login failed attempts, the account to be locked. 1. user test1 fails to login 3 times -> account is locked 2. admin unlocks test1's account and notify test1 user 3. user test1 tries 1 time to login using a wrong password and gets his account locked again. Expectation here: account should not be locked after first attempt of a wrong password, but after third attempt, as it was the case on step 1. It turns out that it is locked again after first attempt due to the fact that on step 2, only pwdAccountLockedTime field is removed from LDAP, but not also pwdFailureTime fields. It seems pwdFailureTime is internally cleared only: - when test1 successfully authenticate (having his account unlocked) - admin changes test1's password
See below my details: $>ldapsearch -x -b "cn=test1,ou=users,dc=thales,dc=com" + ... pwdChangedTime: 20171027043554Z pwdFailureTime: 20171027052019.225837Z pwdFailureTime: 20171027052021.776604Z pwdFailureTime: 20171027052024.436413Z pwdAccountLockedTime: 20171027052024Z entryCSN: 20171027055105.381686Z#000000#000#000000 ...
$>cat unlock.ldif: dn: cn=test1,ou=users,dc=thales,dc=com changetype: modify delete: pwdAccountLockedTime - delete: pwdFailureTime
$>ldapmodify -x -W -D "cn=admin,ou=users,dc=thales,dc=com" -f unlock.ldif Enter LDAP Password: modifying entry "cn=test1,ou=users,dc=thales,dc=com" ldap_modify: Constraint violation (19) additional info: pwdFailureTime: no user modification allowed
$>cat unlock.ldif dn: cn=test1,ou=users,dc=thales,dc=com changetype: modify delete: pwdAccountLockedTime
$>ldapmodify -x -W -D "cn=jamessmith,ou=users,dc=thales,dc=com" -f unlock.ldif Enter LDAP Password: modifying entry "cn=test1,ou=users,dc=thales,dc=com"
$>ldapsearch -x -b "cn=test1,ou=users,dc=thales,dc=com" + ... pwdChangedTime: 20171027043554Z pwdFailureTime: 20171027052019.225837Z pwdFailureTime: 20171027052021.776604Z pwdFailureTime: 20171027052024.436413Z entryCSN: 20171027055105.381686Z#000000#000#000000 ...
Result: pwdAccountLockedTime is removed but pwdFailureTime is not automatically removed also. Expected: since I'm not allowed to remove pwdFailureTime I would expect to be automatically removed via removal of pwdAccountLockedTime.