https://bugs.openldap.org/show_bug.cgi?id=9156
--- Comment #5 from Ondřej Kuzník ondra@mistotebe.net --- On Fri, Mar 27, 2020 at 05:02:02PM +0000, openldap-its@openldap.org wrote:
Hello,
Here are the things I have basically tested:
- pwdLastSuccess, pwdMaxIdle: KO: the user is able to authenticate after the
pwdMaxIdle delay. Also, the pwdLastSuccess is never written (see https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-5.3...). For information, I have enabled lastbind. The slapo-ppolicy man page does not mention pwdLastSuccess by the way.
Hi David, could you show a configuration when this happens? I cannot reproduce either issue on master.
I will update the manpage to mention pwdLastSuccess is used.
- pwdStartTime, pwdEndTime: OK, but there is no special ppolicy code returned,
and if I read correctly the draft (https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.1), an "accountLocked" extended error code should be triggered.
Again, can't seem to be able to reproduce that and test022-ppolicy passes for me.