On Friday 08 February 2008 08:11:58 Tony Earnshaw wrote:
Dan White skrev, on 07-02-2008 18:42:
[...]
I understand that I could implement the password policy overlay to temporarily lockout an account once it's reached a certain number of bad password attempts, but I believe that only applies to simple (-x) binds. Is that correct?
My site's running ppolicy on 2.3 on Linux for gdm logins with great success; however, my understanding is, that it only cares about pam/pam_exop calls (presumably also similar from dedicated client or proxy software).
exop only affects how passwords are changed, not what the client sends on a simple bind request.
Looking at the relevant operational attributes in gq, one can see that each failed login is recorded tn the pwdFailureTime attribute. Doing a repeated ldapsearch -x on an account with an invalid password doesn't make the blindest bit of difference to this attribute and multiple failed attempts are allowed.
Uh, when binding as the DN in question, or not (your ldapsearch -x is ambiguous)?
In the testing I did a while back (where I used ldapwhoami), simple binds with and without the ppolicy control both resulted in lockout (but the one with the control would warn about impending expiry when testing expiry). In fact, I broke replication on one of the dev slaves that was using a simple bind in the syncrepl configuration.
Regards, Buchan