Hello,

First let me thank the gracious folks on this list who have lent their advice to me on my path towards implementing ppolicy. I'm making progress; I can reject new passwords based on password history, and reject weak passwords. However, I'm having a bit of a time trying to get the lockouts to work. My policy is defined as:

56 cn=Password Policy,ou=Policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: Password Policy pwdAttribute: userPassword pwdMaxAge: 3888000 pwdMinLength: 6 pwdExpireWarning: 432000 pwdFailureCountInterval: 0 pwdMustChange: FALSE pwdAllowUserChange: TRUE pwdSafeModify: TRUE pwdLockout: TRUE pwdCheckQuality: 1 pwdGraceAuthNLimit: 0 pwdInHistory: 6 pwdLockoutDuration: 60 pwdMaxFailure: 3

However, even after many failure attempts, I see no pwdFailureTime attributes in the offending user's entry:

dn: uid=testuser,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: testuser sn: testuser givenName: testuser uid: testuser uidNumber: 1009 gidNumber: 513 homeDirectory: /home/testuser loginShell: /bin/bash gecos: System User structuralObjectClass: inetOrgPerson entryUUID: 42d5971e-7b49-102c-8aae-af676a6dbed9 creatorsName: cn=admin,dc=example,dc=com createTimestamp: 20080229193543Z sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: System User sambaSID: S-1-5-21-1484159386-3942804292-94657008-3018 sambaPrimaryGroupSID: S-1-5-21-1484159386-3942804292-94657008-513 sambaLogonScript: logon.bat sambaProfilePath: \masterldap.example.com\profiles\testuser sambaHomePath: \masterldap.example.com\testuser sambaHomeDrive: H: pwdHistory: 20080313194326Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}C2DOwhgHFTc XmGxRdqlpBUz12eZpRXI4 pwdHistory: 20080313194602Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}AboL9Sp7678 X2KsPv8sMPE5CC2i6c6LY pwdHistory: 20080313194626Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}7hUqCecYGvd g5bx1ybw71YQcZShicmFk pwdHistory: 20080313194852Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}E920Fe1PlYV Bwjn+rpiOFO8UaiRzZnB6 pwdHistory: 20080313200637Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}hFfD2xFwG/T s5PVg3CAIf4i6rkpaZnNM pwdHistory: 20080313200941Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}/GpzR2wV7dy XITeU+5nBpFyTKdgxQzk4 sambaLMPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX sambaAcctFlags: [U] sambaNTPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX sambaPwdLastSet: 1205438797 sambaPwdMustChange: 1209326797 userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX pwdChangedTime: 20080313200941Z entryCSN: 20080313200941Z#000000#00#000000 modifiersName: cn=admin,dc=example,dc=com modifyTimestamp: 20080313200941Z

Is the shadowAccount attribute killing me? I'm not really sure. Just for completeness, the slapd.conf (abridged) looks like:

include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/ppolicy.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib/openldap database bdb suffix "dc=example,dc=com" directory /var/lib/ldap rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}tFEA391Y3ZLHXkQDDk6f0t1ZkJEuMwIj overlay ppolicy ppolicy_default "cn=Password Policy,ou=Policies,dc=example,dc=com" ppolicy_use_lockout access to attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange by self write by * auth access to * by * read moduleload smbk5pwd.la index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub loglevel -1 sasl-secprops none

As always, thank you for your help.

Best Regards, Ryan