jong.limb@dss.virginia.gov wrote:
Full_Name: Jong K. Limb Version: 2.4.23 OS: RHEL 5.3 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (166.67.66.5)
I have the following setup:
- Provider LDAP server used only by those applications that change passwords
- Consumer LDAP servers used by all applications that want to authenticate
users
- The provider and consumers have password policy configured so that the
accounts lock after 3 failed attempts
- In order to maintain synchronization of failed login attempts across all
consumers, I also enabled chaining from the consumers to the master
If an attempt is made to authenticate against the consumer with an invalid password (for example, using ldapsearch), the pwdFailureTime attribute is added/updated on the provider and eventually synced to the consumer, but the operation succeeds when it should not have.
If I remove the password policy overlay (leaving all other configuration the same) and run ldapsearch with an invalid password against a consumer, the operation will fail with invalid credentials as it should.
I have done a little debugging, and it looks like the response that gets returned to the client is the response to the modify operation that the consumer makes to the provider to add/update the pwdFailureTime attribute, and not the response to the bind operation. The modify operation is successful here, so the client continues on with the search or other operation.
Unable to confirm this. Note that this is tested explicitly in test022 of the test suite, and no such behavior occurs there.
You're running a pretty old release, perhaps you should update. Regardless, unless you can provide more details to reproduce this situation, this ITS will be closed.