----- "Cyril Grosjean" cgrosjean@janua.fr wrote:
Buchan Milne wrote:
----- "Cyril Grosjean" cgrosjean@janua.fr wrote:
Hello,
I use the ppolicy overlay and it works fine for all the features
I've
tested but one:
I've added the ppolicy_use_lockout parameter in my slapd.conf, but
I
still get the err=49 invalid credentials error message after 5 unsuccessfull authentification attempts (a few seconds elapse between each attempt)
I operate slapd 2.4.13 over OpenSuse 10.2
I can for example expire passwords, reset them or use the password history feature, but I can't figure out how to get an "account locked" message
instead
of "invalid credentials" when a user fails to log in more than 5 times.
Well, you probably actually want them to get a message telling them
that their password has expired, *before* they get locked out (otherwise you need admin intervention anyway).
I've tested with different ldapsearch versions as well as with
Apache
LDAP Studio which seems to use at least some LDAP controls, so I don't think it's a client side problem.
Are you using the '-e ppolicy' option to ldapwhoami or similar ?
Password policy requires the client to ask for, and interpret the password policy controls. So, most likely it *is* a client side problem.
[...]
Any clue ?
Test with ldapwhoami, with the '-e ppolicy' options. If they work
correctly, then this is not an OpenLDAP issue, and you should ask about pam_ldap password policy support on another list (e.g. OpenLDAP-technical) which allows pam_ldap questions.
Regards, Buchan
Thank you for all your answers. I understand it's a client problem now. I haven't tested yet with ldapwhoami, but I will soon. I've only tested with different versions (Solaris and Linux) of ldapsearch, as well as with Apache Directory Studio and didn't find any option here to deal with the password policy cotnrols .
-e ppolicy should work with ldapsearch as well:
$ ldapsearch --help 2>&1|grep -C8 ppolicy -e [!]<ext>[=<extparam>] general extensions (! indicates criticality) [!]assert=<filter> (a RFC 4515 Filter string) [!]authzid=<authzid> ("dn:<dn>" or "u:<user>") [!]chaining[=<resolveBehavior>[/<continuationBehavior>]] one of "chainingPreferred", "chainingRequired", "referralsPreferred", "referralsRequired" [!]manageDSAit [!]noop ppolicy [!]postread[=<attrs>] (a comma-separated attribute list) [!]preread[=<attrs>] (a comma-separated attribute list) [!]relax abandon, cancel, ignore (SIGINT sends abandon/cancel, or ignores response; if critical, doesn't wait for SIGINT. not really controls) -f file read operations from `file' -h host LDAP server
Regards, Buchan