Full_Name: Anshuman Version: 2.4.23 OS: RHEL 6.4 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (198.241.211.15)

Hello,

I am trying to get the ppolicy to lock account after N unsuccessful attempts. To accomplish this, I defined the overlay policy in slapd.conf, and also attached the pwdPolicySubentry to the user object.

It is able to detect the password policy, because the number of times "pwdFailureTime" appears is always 1 less than the value I set for "pwdMaxFailure" in the password policy.

So, if I set pwdMaxFailure=4, the count pwdFailureTime stops growing after 3.

However, the pwdAccountLockedTime is never set.

Up until release 2.3.x adding a rootdn entry to the slapd.conf solved this issue. But today we are trying to upgrade to 2.4.23, and this "fix" no longer works.

Could someone please let me know what needs to be done to make this work?

-- slapd.conf--- # Load dynamic backend modules: modulepath /usr/lib64/openldap moduleload ppolicy.la moduleload auditlog.la

overlay ppolicy ppolicy_default "cn=Standard,ou=Policies,dc=mycompany,dc=com" ppolicy_use_lockout