hello
OpenLdap 2.4.18.
Attribute "pwdAccountLockedTime" is set, but auth is still Ok . Why ? On Ldap 2.3 it works normal - user don't auth after this date.
# date Tue Sep 22 21:24:44 MSD 2009
ldapsearch -h localhost -x -b 'ou=SrpUsers,dc=company,dc=com' -D "cn=admin,dc=company,dc=com" -w password "cn=_1*" + | grep pwdAccountLockedTime
pwdAccountLockedTime: 20090922153148Z
but
slapauth -v -f /usr/local/etc/openldap/slapd.conf -U _125363 -X u:_125363 bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/accesslog-data: (2). Expect poor performance for suffix "cn=accesslog". bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/openldap-data: (2). Expect poor performance for suffix "dc=company,dc=com". ID: <_125363> authcDN: <uid=_125363,cn=auth> authzDN: <uid=_125363,cn=auth> authorization OK
How I can resolve problem with non-working "pwdAccountLockedTime" ?
Evgeniy wrote:
hello
OpenLdap 2.4.18.Attribute "pwdAccountLockedTime" is set, but auth is still Ok . Why ? On
Ldap 2.3 it works normal - user don't auth after this date.
Most likely because of ITS#6168. The behavior prior to 2.4.17 did not conform to the spec, and is fixed in 2.4.17 onward.
Hello, Howard.
"OpenLDAP 2.4.17 : Fixed slapo-ppolicy to honor pwdLockout (ITS#6168)"
problem fixed in 2.4.17 & 18 ?
But now I use 2.4.18 . go to 2.4.16 ?
you wrote 23 sep2009 г., 23:06:00:
HC> Evgeniy wrote:
hello
OpenLdap 2.4.18.
Attribute "pwdAccountLockedTime" is set, but auth is still Ok . Why ? On
HC> Ldap 2.3 it works normal - user don't auth after this date.
HC> Most likely because of ITS#6168. The behavior prior to 2.4.17 did not conform HC> to the spec, and is fixed in 2.4.17 onward.
downgrade to 2.4.16 solves this problem. thank you. hopefully, this bug will fixed in next release...
24.09.09, 00:06, "Howard Chu" hyc@symas.com:
Evgeniy wrote:
hello
OpenLdap 2.4.18.Attribute "pwdAccountLockedTime" is set, but auth is still Ok . Why ? On
Ldap 2.3 it works normal - user don't auth after this date. Most likely because of ITS#6168. The behavior prior to 2.4.17 did not conform to the spec, and is fixed in 2.4.17 onward.
Evgeniy wrote:
downgrade to 2.4.16 solves this problem. thank you. hopefully, this bug will fixed in next release...
There is no bug, pwdAccountLockedTime works as designed. It is explicitly checked in test022 of the test suite so you can see for yourself that it works correctly.
Your configuration is wrong, therefore no lock is performed.
24.09.09, 00:06, "Howard Chu"hyc@symas.com:
Evgeniy wrote:
hello OpenLdap 2.4.18.Attribute "pwdAccountLockedTime" is set, but auth is still Ok . Why ? On
Ldap 2.3 it works normal - user don't auth after this date. Most likely because of ITS#6168. The behavior prior to 2.4.17 did not conform to the spec, and is fixed in 2.4.17 onward.
Can you get example of correct using security attr (pwdAccountLockedTime, pwdMaxFailure and others) for 2.4.18 ?
24.09.09, 23:03, "Howard Chu" hyc@symas.com:
There is no bug, pwdAccountLockedTime works as designed. It is explicitly checked in test022 of the test suite so you can see for yourself that it works correctly. Your configuration is wrong, therefore no lock is performed.
2009/9/25 Evgeniy evplus@yandex.ru:
Can you get example of correct using security attr (pwdAccountLockedTime, pwdMaxFailure and others) for 2.4.18 ?
Hi,
the ITS was opened because pwdAccountLockedTime was efficient on entries not concerned by any password policy, which was a mistake. This is now corrected, so you have to apply a password policy to your entry, either by setting a default password policy in ppolicy overlay configuration (man slapo-ppolicy), either by filling the pwdPolicySubentry attribute.
Clément.
On releases up to 2.4.16 (2.3.x too) works next config :
overlay ppolicy ppolicy_default "cn=CompanyAccountPolicy,ou=CompanyPolicies,dc=Company,dc=com" ppolicy_hash_cleartext ppolicy_use_lockout
On 2.4.18, 2.4.19 its don't work.
you have to apply a password policy to your > entry, either by setting a default password policy in ppolicy overlay > configuration
How I can do it ?
26.09.09, 01:37, "Clément OUDOT" clem.oudot@gmail.com:
2009/9/25 Evgeniy :
Can you get example of correct using security attr (pwdAccountLockedTime, pwdMaxFailure and others) for 2.4.18 ?
Hi, the ITS was opened because pwdAccountLockedTime was efficient on entries not concerned by any password policy, which was a mistake. This is now corrected, so you have to apply a password policy to your entry, either by setting a default password policy in ppolicy overlay configuration (man slapo-ppolicy), either by filling the pwdPolicySubentry attribute. Clément.
Le 7 octobre 2009 19:51, Evgeniy evplus@yandex.ru a écrit :
On releases up to 2.4.16 (2.3.x too) works next config :
overlay ppolicy ppolicy_default "cn=CompanyAccountPolicy,ou=CompanyPolicies,dc=Company,dc=com" ppolicy_hash_cleartext ppolicy_use_lockout
On 2.4.18, 2.4.19 its don't work.
you have to apply a password policy to your > entry, either by setting a default password policy in ppolicy overlay > configuration
How I can do it ?
The configuration looks correct. The pwdAccountLockedTime attribute should deactivate an entry in the directory. Be sure to have a TRUE value in pwdLockout attribute of cn=CompanyAccountPolicy,ou=CompanyPolicies,dc=Company,dc=com
Clément.
Its solving problem with security policy. Thank you.
Please, update documentation for security policy in OpenLdap.
Now: "This attribute controls the action taken when an account has had more consecutive failed bind attempts with invalid passwords than is defined by pwdMaxFailure." But pwdLockout : TRUE enables other security blocks too, and this blocks don't work without it.
08.10.09, 11:21, "Clément OUDOT" clem.oudot@gmail.com:
Le 7 octobre 2009 19:51, Evgeniy a écrit :
On releases up to 2.4.16 (2.3.x too) works next config :
overlay ppolicy ppolicy_default "cn=CompanyAccountPolicy,ou=CompanyPolicies,dc=Company,dc=com" ppolicy_hash_cleartext ppolicy_use_lockout
On 2.4.18, 2.4.19 its don't work.
you have to apply a password policy to your > entry, either by setting a default password policy in ppolicy overlay > configuration
How I can do it ?
The configuration looks correct. The pwdAccountLockedTime attribute should deactivate an entry in the directory. Be sure to have a TRUE value in pwdLockout attribute of cn=CompanyAccountPolicy,ou=CompanyPolicies,dc=Company,dc=com Clément.
openldap-software@openldap.org
-
Clément OUDOT -
Evgeniy -
Howard Chu