slapd 2.4.13: ppolicy_use_lockout not working as expected
by Cyril Grosjean
Hello,
I use the ppolicy overlay and it works fine for all the features I've
tested but one:
I've added the ppolicy_use_lockout parameter in my slapd.conf, but I
still get the err=49
invalid credentials error message after 5 unsuccessfull authentification
attempts (a few
seconds elapse between each attempt)
I operate slapd 2.4.13 over OpenSuse 10.2
I can for example expire passwords, reset them or use the password
history feature,
but I can't figure out how to get an "account locked" message instead of
"invalid credentials"
when a user fails to log in more than 5 times.
I've tested with different ldapsearch versions as well as with Apache
LDAP Studio which seems
to use at least some LDAP controls, so I don't think it's a client side
problem.
I've tried to set "ppolicy_use_lockout" to 1 or true or on as well as
let it without value, but it's
doesn't change anything, excepted that unauthorized values prevent slapd
from starting.
Here's what I see in "-d -1 mode"
<= acl_access_allowed: granted to database root
bdb_modify_internal: replace pwdAccountLockedTime
bdb_modify_internal: add pwdFailureTime
bdb_modify_internal: 20 modify/add: pwdFailureTime: value #0 already exists
bdb_modify: modify failed (20)
send_ldap_result: conn=7 op=0 p=3
send_ldap_result: err=20 matched="" text="modify/add: pwdFailureTime:
value #0 already exists"
send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 25
0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
conn=7 op=0 RESULT tag=97 err=49 text=
daemon: activity on:
My config is as follows:
database bdb
...
...
overlay ppolicy
ppolicy_default "cn=default,ou=policies,.....
ppolicy_use_lockout
And my policy is as follows:
dn: cn=default,ou=policies,....
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 86400
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: default
Any clue ?
Cyril
--
14 years, 8 months
- 4
- 6