Clowser, Jeff wrote:
I can for example expire passwords, reset them or use the password history feature, but I can't figure out how to get an "account locked" message instead
of
"invalid credentials" when a user fails to log in more than 5 times.
That's by intention (or should be). You never want to differentiate to the client the difference between the bind failing because of invalid credentials and failing because the account is locked, for security reasons.
Yes. The slapo-ppolicy(5) manpage already discusses this.
The manpage also discusses the AccountLocked error code - it is returned in the PasswordPolicy response control, not in the LDAP Result code. As the manpage clearly states, "A client will always receive an LDAP InvalidCredentials response ..."