You wrote:
It would help to: 1)provide the contents of your ppolicy_default 2)explain exactly what is not working
Here is the test policy I have in the directory.
dn: cn=test,ou=portal,ou=policies,dc=ttpua,dc=portal objectClass: pwdPolicy objectClass: top objectClass: device cn: test pwdAttribute: userPassword pwdMaxAge: 360 pwdExpireWarning: 120 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 3 pwdLockout: TRUE pwdLockoutDuration: 60 pwdFailureCountInterval: 120 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: TRUE pwdGraceAuthNLimit: 3 structuralObjectClass: device entryUUID: dde41790-ddb0-102a-9d8f-2524a04c2d05 creatorsName: cn=scoobydoo,dc=ttpua,dc=portal modifiersName: cn=scoobydoo,dc=ttpua,dc=portal createTimestamp: 20060921113420Z modifyTimestamp: 20060921113420Z entryCSN: 20060921113420Z#000000#00#000000
What I'm trying to do is just verify that the directory server is enforcing my policy of login failures and will lock the account out after the specified number of attempts. As I said before, this is exactly whats done in one of the tests when one runs 'make test' in the source code of openldap after it's built
I run:
./ldapsearch -x -b "dc=ttpua,dc=portal" -P 3 -LLL -e ppolicy -h localhost -D cn=tuser,ou=testing,ou=portal,ou=users,dc=ttpua,dc=portal -w badpassword
Three times. According to the test policy, the account should be locked out.
cn=tuser,ou=testing,ou=portal,ou=users,dc=ttpua,dc=portal userPassword:: e1NIQX1XNnBoNU1tNVB6OEdnaVVMYlBnekczN21qOWc9 objectClass: top objectClass: inetOrgPerson objectClass: organizationalPerson sn: User cn: tuser structuralObjectClass: inetOrgPerson entryUUID: 15847d74-3bf4-102b-912f-2d95986cd7a9 creatorsName: cn=scoobydoo,dc=ttpua,dc=portal createTimestamp: 20070119103219Z pwdPolicySubentry: cn=test,ou=portal,ou=policies,dc=ttpua,dc=portal entryCSN: 20070119103245Z#000000#00#000000 modifiersName: cn=scoobydoo,dc=ttpua,dc=portal modifyTimestamp: 20070119103245Z
I run the same ldap search for the forth time with the correct password, I'm able to log in - which I thought I shouldn't be able to do. So I clearly am missing something. Can anyone shed some light on what that may be?
TIA,
Errol Neal
Errol Neal wrote:
I run the same ldap search for the forth time with the correct password, I'm able to log in - which I thought I shouldn't be able to do. So I clearly am missing something. Can anyone shed some light on what that may be?
Your "overlay ppolicy" clause is in the wrong place. Look at the test022 example more carefully, and read the slapd.conf( 5 ) manpage description for the "overlay" keyword.
You seem to be missing one of the fundamental concepts of slapd configuration, which is that the relative order of statements in the configuration is meaningful.
openldap-software@openldap.org
-
Errol Neal -
Howard Chu