Hi everyone,
I'm using openldap-2.4.8 and
cyrus-sasl-2.1.22.
I've enabled password policy in my OpenLdap Server
and I've seen that when I authenticate myself using SASL DIGEST-MD5 I
can make any searches even if my account is locked.
In fact I have the following results:
./ldapsearch -b
'uid=apatrissi,ou=people,dc=my-domain,dc=com' -D
'uid=apatrissi,ou=people,dc=my-domain,dc=com' -x -W -e ppolicy
'(objectClass=*)'
Enter LDAP Password:
ldap_bind: Invalid credentials
(49); Account locked
./ldapsearch -b 'uid=apatrissi,ou=people,dc=my-domain,dc=com' -W
-Y DIGEST-MD5 -U apatrissi
'(objectClass=*)'
DIGEST-MD5 -U apatrissi
'(objectClass=*)'
Enter LDAP Password:
SASL/DIGEST-MD5 authentication
started
SASL username: apatrissi
SASL SSF: 128
SASL data security layer
installed.
# extended LDIF
#
# LDAPv3
# base
<uid=apatrissi,ou=people,dc=my-domain,dc=com> with scope subtree
#
filter: (objectClass=*)
# requesting: ALL
#
# apatrissi, people, my-domain.com
dn:
uid=apatrissi,ou=people,dc=my-domain,dc=com
objectClass: top
objectClass:
person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou:
people
cn: Alessandro Patrissi
givenName: Alessandro
sn:
Patrissi
uid: apatrissi
userPassword:: YWxleA==
mail:
alessandro.patrissi@commprove.comtelephoneNumber:
+0039
description: test LDAP
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
Where I can look to solve the problem?
Thanks a lot,
Alessandro Patrissi