Jan Kohnert schrieb:
I have a problem with ppolicy and got stuck finding a solution. I configured slapd using the information from [1] trying to be able to lock users. But anyway, the lock seems to be ignored: As soon as one tries to log in, the pwdLockedTime agument es removed from the entry and I seem to be too blind or dumb to see the reason why.
b079 /etc/openldap # ldapsearch -x -s base -b "cn=default, ou=policies, dc=yyy, dc=zzz, dc=org"
pwdLockout: TRUE pwdLockoutDuration: 900
I think, I got the problem: Setting the lockout time older than pwdLockoutDuration lets ppolicy ignore the lockout. That's just fine and as I configured. I just did not understand that one.
Setting the account locktime to current time locks out the user (as just tested) correctly.
So there comes the next question: Is there a way to lock out specific users permanently (other than creating a cronjob setting the lockout time new after 900s) or do I need to set pwdLockoutDuration to inf and so are forced to manually reset users whose accounts were tried to be cracked?