--On Saturday, February 6, 2021 12:06 AM +0100 Uwe Sauter uwe.sauter.de@gmail.com wrote:
Yes it is. Account locking after failed attempts, password changes honoring configured rules, password history etc. all works since this was set up in 2017. Back then I just forgot to hide the pwd* attributes that are managed by the ppolicy overlay.
Just to confirm, you're not using the rootdn to test the ACL right? Because the rootdn is never subject to ACL restraints. I'd also advise upgrading to the current release, there are a number of ppolicy fixes made since 2.4.44.
2.4.47: Fixed slapo-ppolicy with multi-provider replication (ITS#8927)
2.4.48: Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349)
2.4.49: Fixed slapo-ppolicy when used with slapauth (ITS#8629) Fixed slapo-ppolicy to add a missed normalised copy of pwdChangedTime (ITS#9126)
2.4.50: Fixed slapo-ppolicy callback (ITS#9171)
2.4.51: Added slapo-ppolicy implement Netscape password policy controls (ITS#9279) Fixed slapo-ppolicy to expose the ppolicy control (ITS#9285) Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302) Fixed slapo-ppolicy so it can only exist once per DB (ITS#9309)
2.4.53: Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302,ITS#9334)
I'd note again, Symas provides free drop-in replacement builds for CentOS/RHEL 7 that are current:
https://repo.symas.com/sofl/rhel7/
You will want to reload the database to account for the 2.4.49 fix for ITS#9126 (it requires a reload of the db via slapcat/slapadd to fix the internal normalization of pwdChangedTime).
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com