I'm not sure if it's worth mentioning that I am seeing the following in syslog when I start up slapd:
Aug 20 09:44:18 dir01alt slapd[14600]: WARNING: No dynamic config support for overlay ppolicy.
It says it's a warning, but I'm not sure I believe it.
~Paul -----Original Message----- From: openldap-software-bounces+discip=pjm.com@OpenLDAP.org [mailto:openldap-software-bounces+discip=pjm.com@OpenLDAP.org] On Behalf Of discip@pjm.com Sent: Monday, August 18, 2008 7:31 AM To: adam.m.leach@gmail.com Cc: openldap-software@openldap.org; andrew.findlay@skills-1st.co.uk Subject: Re: ppolicy password lockout
Yes, i recreated the user after putting the overly in the config. -----Original Message----- From: Adam Leach [mailto:adam.m.leach@gmail.com] Sent: Friday, August 15, 2008 10:46 AM To: DiSciascio, Paul Cc: andrew.findlay@skills-1st.co.uk; openldap-software@openldap.org Subject: Re: [Probable SPAM] Re: ppolicy password lockout
Did you add this user _after_ putting the overlay ppolicy in your config or before? In my past experience only entries that were added after the fact were affected.
On Fri, Aug 15, 2008 at 9:12 AM, discip@pjm.com wrote:
Here are the results after multiple bad attempts to bind to the LDAP server. Additionally, I changed the password for the user before I started, and I don't see attributes related to that either
user@dir01alt:~> ldapsearch -D "cn=manager,dc=pjm,dc=com" -Wx -b "dc=pjm,dc=com" "(uid=testuser)" + Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=pjm,dc=com> with scope subtree # filter: (uid=testuser) # requesting: + #
# testuser, People, Test, External, pjm.com dn: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com structuralObjectClass: inetOrgPerson entryUUID: e15065de-f814-102c-85ad-6b504a287112 creatorsName: cn=manager,dc=pjm,dc=com createTimestamp: 20080806150541Z entryCSN: 20080813115547Z#000000#00#000000 modifiersName: cn=stoat,dc=pjm,dc=com modifyTimestamp: 20080813115547Z entryDN: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com subschemaSubentry: cn=Subschema hasSubordinates: FALSE
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
-----Original Message----- From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk] Sent: Thursday, August 14, 2008 2:46 PM To: DiSciascio, Paul Cc: openldap-software@openldap.org Subject: [Probable SPAM] Re: ppolicy password lockout
On Thu, Aug 14, 2008 at 07:58:44AM -0400, discip@pjm.com wrote:
I don't see any pwdFailureTime attributes ever show up for the user in question, and the password never locks after bad password attempts.
When reading the user entry are you requesting the operational attributes? You need to do that to see things like failure times. Add '+' to the end of the ldapsearch command and see what you get.
Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------