10:32 a.m.
hello
OpenLdap 2.4.18.
Attribute "pwdAccountLockedTime" is set, but auth is still Ok . Why ?
On Ldap 2.3 it works normal - user don't auth after this date.
# date
Tue Sep 22 21:24:44 MSD 2009
ldapsearch -h localhost -x -b 'ou=SrpUsers,dc=company,dc=com' -D
"cn=admin,dc=company,dc=com" -w password "cn=_1*" + | grep
pwdAccountLockedTime
pwdAccountLockedTime: 20090922153148Z
but
slapauth -v -f /usr/local/etc/openldap/slapd.conf -U _125363 -X u:_125363
bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/accesslog-data:
(2).
Expect poor performance for suffix "cn=accesslog".
bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/openldap-data:
(2).
Expect poor performance for suffix "dc=company,dc=com".
ID: <_125363>
authcDN: <uid=_125363,cn=auth>
authzDN: <uid=_125363,cn=auth>
authorization OK
How I can resolve problem with non-working "pwdAccountLockedTime" ?
--
---______________________________________________---
Evgeniy
1:06 p.m.
Evgeniy wrote:
hello
OpenLdap 2.4.18.
Attribute "pwdAccountLockedTime" is set, but auth is still Ok . Why ? On
Ldap 2.3 it works normal - user don't auth after this date.
Most likely because of ITS#6168. The behavior prior to 2.4.17 did not conform
to the spec, and is fixed in 2.4.17 onward.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
1:15 p.m.
New subject: Re[2]: problem with security ppolicy
Hello, Howard.
"OpenLDAP 2.4.17 :
Fixed slapo-ppolicy to honor pwdLockout (ITS#6168)"
problem fixed in 2.4.17 & 18 ?
But now I use 2.4.18 .
go to 2.4.16 ?
you wrote 23 sep2009 г., 23:06:00:
HC> Evgeniy wrote:
> hello
> OpenLdap 2.4.18.
> Attribute "pwdAccountLockedTime" is set, but auth is
still Ok . Why ? On
HC> Ldap 2.3 it works normal - user don't auth after this
date.
HC> Most likely because of ITS#6168. The behavior prior to 2.4.17 did not conform
HC> to the spec, and is fixed in 2.4.17 onward.
--
with deference,
Evgeniy mailto:evplus@yandex.ru
5:49 a.m.
New subject: problem with security ppolicy / solved by ->> 2.4.16
downgrade to 2.4.16 solves this problem.
thank you.
hopefully, this bug will fixed in next release...
24.09.09, 00:06, "Howard Chu" <hyc(a)symas.com>:
Evgeniy wrote:
> hello
>
> OpenLdap 2.4.18.
>
> Attribute "pwdAccountLockedTime" is set, but auth is still Ok . Why ? On
Ldap 2.3 it works normal - user don't auth after this date.
Most likely because of ITS#6168. The behavior prior to 2.4.17 did not conform
to the spec, and is fixed in 2.4.17 onward.
--
---______________________________________________---
with deference, Evgeniy
12:03 p.m.
New subject: problem with security ppolicy / solved by ->> 2.4.16
Evgeniy wrote:
downgrade to 2.4.16 solves this problem.
thank you.
hopefully, this bug will fixed in next release...
There is no bug, pwdAccountLockedTime works as designed. It is explicitly
checked in test022 of the test suite so you can see for yourself that it works
correctly.
Your configuration is wrong, therefore no lock is performed.
24.09.09, 00:06, "Howard Chu"<hyc(a)symas.com>:
> Evgeniy wrote:
>> hello
>>
>> OpenLdap 2.4.18.
>>
>> Attribute "pwdAccountLockedTime" is set, but auth is still Ok . Why ?
On
> Ldap 2.3 it works normal - user don't auth after this date.
> Most likely because of ITS#6168. The behavior prior to 2.4.17 did not conform
> to the spec, and is fixed in 2.4.17 onward.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11:42 a.m.
Can you get example of correct using security attr (pwdAccountLockedTime,
pwdMaxFailure and others) for 2.4.18 ?
24.09.09, 23:03, "Howard Chu" <hyc(a)symas.com>:
There is no bug, pwdAccountLockedTime works as designed. It is
explicitly
checked in test022 of the test suite so you can see for yourself that it works
correctly.
Your configuration is wrong, therefore no lock is performed.
--
---______________________________________________---
Best Regards,
Evgeniy
2:37 p.m.
2009/9/25 Evgeniy <evplus(a)yandex.ru>:
Can you get example of correct using security attr (pwdAccountLockedTime,
pwdMaxFailure and others) for 2.4.18 ?
Hi,
the ITS was opened because pwdAccountLockedTime was efficient on
entries not concerned by any password policy, which was a mistake.
This is now corrected, so you have to apply a password policy to your
entry, either by setting a default password policy in ppolicy overlay
configuration (man slapo-ppolicy), either by filling the
pwdPolicySubentry attribute.
Clément.
10:51 a.m.
On releases up to 2.4.16 (2.3.x too) works next config :
overlay ppolicy
ppolicy_default "cn=CompanyAccountPolicy,ou=CompanyPolicies,dc=Company,dc=com"
ppolicy_hash_cleartext
ppolicy_use_lockout
On 2.4.18, 2.4.19 its don't work.
>you have to apply a password policy to your > entry, either by
setting a default password policy in ppolicy overlay > configuration
How I can do it ?
26.09.09, 01:37, "Clément OUDOT" <clem.oudot(a)gmail.com>:
2009/9/25 Evgeniy :
>
> Can you get example of correct using security attr (pwdAccountLockedTime,
pwdMaxFailure and others) for 2.4.18 ?
>
Hi,
the ITS was opened because pwdAccountLockedTime was efficient on
entries not concerned by any password policy, which was a mistake.
This is now corrected, so you have to apply a password policy to your
entry, either by setting a default password policy in ppolicy overlay
configuration (man slapo-ppolicy), either by filling the
pwdPolicySubentry attribute.
Clément.
--
---______________________________________________---
Evgeniy
12:21 a.m.
Le 7 octobre 2009 19:51, Evgeniy <evplus(a)yandex.ru> a écrit :
On releases up to 2.4.16 (2.3.x too) works next config :
overlay ppolicy
ppolicy_default "cn=CompanyAccountPolicy,ou=CompanyPolicies,dc=Company,dc=com"
ppolicy_hash_cleartext
ppolicy_use_lockout
On 2.4.18, 2.4.19 its don't work.
>>you have to apply a password policy to your > entry, either by setting a
default password policy in ppolicy overlay > configuration
How I can do it ?
The configuration looks correct. The pwdAccountLockedTime attribute
should deactivate an entry in the directory. Be sure to have a TRUE
value in pwdLockout attribute of
cn=CompanyAccountPolicy,ou=CompanyPolicies,dc=Company,dc=com
Clément.
4:18 a.m.
Its solving problem with security policy. Thank you.
Please, update documentation for security policy in OpenLdap.
Now:
"This attribute controls the action taken when an account has had more consecutive
failed bind attempts with invalid passwords than is defined by pwdMaxFailure."
But pwdLockout : TRUE enables other security blocks too, and this blocks don't
work without it.
08.10.09, 11:21, "Clément OUDOT" <clem.oudot(a)gmail.com>:
Le 7 octobre 2009 19:51, Evgeniy a écrit :
>
> On releases up to 2.4.16 (2.3.x too) works next config :
>
> overlay ppolicy
> ppolicy_default
"cn=CompanyAccountPolicy,ou=CompanyPolicies,dc=Company,dc=com"
> ppolicy_hash_cleartext
> ppolicy_use_lockout
>
> On 2.4.18, 2.4.19 its don't work.
>
>>>you have to apply a password policy to your > entry, either by setting a
default password policy in ppolicy overlay > configuration
>
> How I can do it ?
The configuration looks correct. The pwdAccountLockedTime attribute
should deactivate an entry in the directory. Be sure to have a TRUE
value in pwdLockout attribute of
cn=CompanyAccountPolicy,ou=CompanyPolicies,dc=Company,dc=com
Clément.
--
---______________________________________________---
С уважением, Евгений
5097
days inactive
5113
days old
openldap-software@openldap.org
9 comments
3 participants
participants (3)
-
Clément OUDOT -
Evgeniy -
Howard Chu