I've just been playing with the ppolicy overlay and noticed that I wasn't locked out! Took a while to figure out, but I was only locked out if I was using a simple bind!
I've always used:
userPassword: {SASL}turbo@INT.DOMAIN.TLD krb5PrincipalName: turbo@INT.DOMAIN.TLD
But before testing ppolicy, I changed the userPassword to '{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==' (=> 'secret').
I always thought that these two went hand in hand, but my tests now shows that they are not. Is this so?!
Can this have something to do with my sasl-regexp?
----- s n i p ----- sasl-regexp uid=(.*),cn=int.domain.tld,cn=gssapi,cn=auth ldap:///c=SE??sub?krb5PrincipalName=$1@INT.DOMAIN.TLD ----- s n i p -----
So the result of this is that I can have one password for simple binds and one for SASL binds... Not a bad thing, but still...
Is it possible to apply the ppolicy on SASL binds?