Hello,
I use the ppolicy overlay and it works fine for all the features I've tested but one:
I've added the ppolicy_use_lockout parameter in my slapd.conf, but I still get the err=49 invalid credentials error message after 5 unsuccessfull authentification attempts (a few seconds elapse between each attempt)
I operate slapd 2.4.13 over OpenSuse 10.2
I can for example expire passwords, reset them or use the password history feature, but I can't figure out how to get an "account locked" message instead of "invalid credentials" when a user fails to log in more than 5 times.
I've tested with different ldapsearch versions as well as with Apache LDAP Studio which seems to use at least some LDAP controls, so I don't think it's a client side problem.
I've tried to set "ppolicy_use_lockout" to 1 or true or on as well as let it without value, but it's doesn't change anything, excepted that unauthorized values prevent slapd from starting.
Here's what I see in "-d -1 mode"
<= acl_access_allowed: granted to database root bdb_modify_internal: replace pwdAccountLockedTime bdb_modify_internal: add pwdFailureTime bdb_modify_internal: 20 modify/add: pwdFailureTime: value #0 already exists bdb_modify: modify failed (20) send_ldap_result: conn=7 op=0 p=3 send_ldap_result: err=20 matched="" text="modify/add: pwdFailureTime: value #0 already exists" send_ldap_response: msgid=1 tag=97 err=49 ber_flush2: 14 bytes to sd 25 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1.... ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1.... conn=7 op=0 RESULT tag=97 err=49 text= daemon: activity on:
My config is as follows:
database bdb ... ...
overlay ppolicy ppolicy_default "cn=default,ou=policies,..... ppolicy_use_lockout
And my policy is as follows:
dn: cn=default,ou=policies,.... cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 86400 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: default
Any clue ?
Cyril