Hi,
I'm currently implementing a password policy on my openldap directory.
Most of it is working (password length, password history). I just can't make the account lockout work.
The attribute pwdAccountLockedTime is never created in my directory.
Entries used for the test:
dn: cn=lcaron_99,ou=ppolicy,dc=local sn: lcaron_99 pwdCheckQuality: 0 pwdMaxFailure: 3 pwdAllowUserChange: TRUE pwdInHistory: 10 pwdLockout: TRUE pwdMinLength: 8 structuralObjectClass: person pwdExpireWarning: 720000 pwdGraceAuthNLimit: 5 cn: lcaron_99 pwdAttribute: userPassword objectClass: pwdPolicy objectClass: person objectClass: top pwdMaxAge: 10 pwdFailureCountInterval: 1200 pwdLockoutDuration: 3600 modifyTimestamp: 20120106194803Z
dn: uid=lcaron_99,ou=People,dc=local objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount cn: lcaron_99 sn: lcaron_99 uid: lcaron_99 uidNumber: 4082 gidNumber: 513 homeDirectory: /home/lcaron_99 loginShell: /bin/bash ...samba attributes snipped ... userPassword:: ...snipped... pwdPolicySubentry: cn=lcaron_99,ou=ppolicy,dc=local pwdChangedTime: 20120106193917Z structuralObjectClass: inetOrgPerson creatorsName: cn=admin,dc=local createTimestamp: 20120106193917Z pwdFailureTime: 20120106193928Z pwdFailureTime: 20120106194040Z entryCSN: 20120106194040.970726Z#000000#000#000000 modifiersName: modifyTimestamp: 20120106194040Z
in slapd.conf:
# Password Policy overlay ppolicy
Did I miss something obvious ?
Thanks