Hello. I've been working on a system with low security requirement and high usability requirement. I uses ppolicy overlay and enabled ppolicy_use_lockout to avoid people gets confused when they failed to login too many times:
suffix "st=jiangxi,o=LGOP" rootdn "userid=admin,st=jiangxi,o=LGOP" rootpw [...] overlay ppolicy ppolicy_default "st=jiangxi,o=LGOP" ppolicy_use_lockout
Restart openldap server and test again by trying to bind with the wrong password enough times (in my case, 20 times). Then try to bind with the right password:
ldapsearch -H ldap://gtz.ods.org/ -xD ou=江西省,st=jiangxi,o=LGOP -W ou=*余干* areacode ldap_bind: Invalid credentials (49)
Here I still got error 49. I thought I could get something like "Account Locked" and a different error code. According to man page:
ppolicy_use_lockout A client will always receive an LDAP InvalidCredentials response when Binding to a locked account. By default, when a Password Policy control was provided on the Bind request, a Password Pol‐ icy response will be included with no special error code set. This option changes the Password Policy response to include the AccountLocked error code. Note that sending the AccountLocked error code provides useful information to an attacker; sites that are sensitive to security issues should not enable this option.
Well I checked related RFC (http://www.ietf.org/rfc/rfc4511.txt) and didn't find "Account Locked error code". In fact, http://www.willeke.com:9080/wikildap/Wiki.jsp?page=LDAPResultCodes listed a list of error code, non of them is "Account Locked" error code.
My questions: Is my setting working? How can I tell? The web application needs to tell if an account is locked, this to improve user usability;
Thanks a lot in advance!
Best regards Zhang Weiwu