Hi everyone,
 
I'm using  openldap-2.4.8 and cyrus-sasl-2.1.22.
I've enabled password policy in my OpenLdap Server and I've seen that when I authenticate myself using SASL DIGEST-MD5 I can make any searches  even if my account is locked.
In fact I have the following results:
 
./ldapsearch  -b 'uid=apatrissi,ou=people,dc=my-domain,dc=com'  -D 'uid=apatrissi,ou=people,dc=my-domain,dc=com' -x -W  -e ppolicy '(objectClass=*)'
Enter LDAP Password:
ldap_bind: Invalid credentials (49); Account locked
 

./ldapsearch  -b 'uid=apatrissi,ou=people,dc=my-domain,dc=com' -W -Y DIGEST-MD5  -U apatrissi    '(objectClass=*)'
DIGEST-MD5  -U apatrissi    '(objectClass=*)'
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
SASL username: apatrissi
SASL SSF: 128
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <uid=apatrissi,ou=people,dc=my-domain,dc=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
#
 
# apatrissi, people, my-domain.com
dn: uid=apatrissi,ou=people,dc=my-domain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: people
cn: Alessandro Patrissi
givenName: Alessandro
sn: Patrissi
uid: apatrissi
userPassword:: YWxleA==
mail: alessandro.patrissi@commprove.com
telephoneNumber: +0039
description: test LDAP
 
# search result
search: 3
result: 0 Success
 
# numResponses: 2
# numEntries: 1
 
 
Where I can look to solve the problem?
 
Thanks a lot,
 
 
Alessandro Patrissi