https://bugs.openldap.org/show_bug.cgi?id=9156

--- Comment #9 from David Coutadeur david.coutadeur@gmail.com ---

Hello,

Thanks Ondřej for your answer to my test results. Here are some updates!

• pwdLastSuccess, pwdMaxIdle: KO: the user is able to authenticate after the

pwdMaxIdle delay. Also, the pwdLastSuccess is never written (see https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-5.3...). For information, I have enabled lastbind. The slapo-ppolicy man page does not mention pwdLastSuccess by the way.

I finally succeeded in making it work. Thanks for pointing test022-ppolicy, it was helpfull. The problem was that I was using old lastbind overlay, which in some way was in conflict with current lastbind. If I understand correctly, the current lastbind is now completely included into OpenLDAP 2.5? It is very important to me, because as a maintainer of OpenLDAP-LTB, we would have to warn people that the configuration parameters have changed (overlay lastbind -> lastbind on) and that the overlay won't be provided any more.

• pwdStartTime, pwdEndTime: OK, but there is no special ppolicy code returned,

and if I read correctly the draft (https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.1), an "accountLocked" extended error code should be triggered.

I was simply missing the ppolicy_use_lockout parameter. One remark though: the reason of locking is not very explicit. I understand that many companies/organizations will consider it is a good thing to hide this information for security reasons. For the others, maybe could we have some sort of level? Configuration example: lockout_message_description [none|minimal|verbose]

In the specification the extended error code could simply stay as it is: "(1)Account locked", but we could add a more precise description in case the verbose mode is enabled: "(1)Account locked (account unused for a too long time)"

Regards,

David