----- "Cyril Grosjean" <cgrosjean(a)janua.fr> wrote:
Hello,
I use the ppolicy overlay and it works fine for all the features I've
tested but one:
I've added the ppolicy_use_lockout parameter in my slapd.conf, but I
still get the err=49
invalid credentials error message after 5 unsuccessfull
authentification
attempts (a few
seconds elapse between each attempt)
I operate slapd 2.4.13 over OpenSuse 10.2
I can for example expire passwords, reset them or use the password
history feature,
but I can't figure out how to get an "account locked" message instead
of
"invalid credentials"
when a user fails to log in more than 5 times.
Well, you probably actually want them to get a message telling them that their password
has expired, *before* they get locked out (otherwise you need admin intervention anyway).
I've tested with different ldapsearch versions as well as with Apache
LDAP Studio which seems
to use at least some LDAP controls, so I don't think it's a client
side
problem.
Are you using the '-e ppolicy' option to ldapwhoami or similar ? Password policy
requires the client to ask for, and interpret the password policy controls. So, most
likely it *is* a client side problem.
[...]
Any clue ?
Test with ldapwhoami, with the '-e ppolicy' options. If they work correctly, then
this is not an OpenLDAP issue, and you should ask about pam_ldap password policy support
on another list (e.g. OpenLDAP-technical) which allows pam_ldap questions.
Regards,
Buchan