Hi there,
I'm new to this list, so first of all welcome to everyone.
I have a problem with ppolicy and got stuck finding a solution. I configured slapd using the information from [1] trying to be able to lock users. But anyway, the lock seems to be ignored: As soon as one tries to log in, the pwdLockedTime agument es removed from the entry and I seem to be too blind or dumb to see the reason why.
Here is what happens (testing my own account): b079 /etc/openldap # grep -v "^#" ldif/locked_users.ldif dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org changetype: modify add: pwdAccountLockedTime pwdAccountLockedTime: 20110119225403Z b079 /etc/openldap # ldapmodify -x -D "cn=admin, dc=yyy, dc=zzz, dc=org" -W -f ldif/locked_users.ldif Enter LDAP Password: modifying entry "uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org"
b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan" uid: jan b079 /etc/openldap # ldapwhoami -x -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: dn:uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan"b079 /etc/openldap #
And here is the relevant configuration; b079 /etc/openldap # grep ppolicy slapd.conf include /etc/openldap/schema/ppolicy.schema moduleload ppolicy.so overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=yyy,dc=zzz,dc=org" b079 /etc/openldap #
b079 /etc/openldap # ldapsearch -x -s base -b "cn=default, ou=policies, dc=yyy, dc=zzz, dc=org" # extended LDIF # # LDAPv3 # base <cn=default, ou=policies, dc=yyy, dc=zzz, dc=org> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# default, policies, yyy.zzz.org dn: cn=default,ou=policies,dc=yyy,dc=zzz,dc=org cn: default sn: dummy value objectClass: pwdPolicy objectClass: person objectClass: top pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 0 pwdInHistory: 0 pwdCheckQuality: 0 pwdLockout: TRUE pwdLockoutDuration: 900 pwdFailureCountInterval: 1800 pwdMustChange: FALSE pwdAllowUserChange: TRUE pwdSafeModify: TRUE pwdExpireWarning: 604800 pwdMaxFailure: 5 pwdGraceAuthNLimit: 0 pwdMinLength: 8
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 b079 /etc/openldap #
Thank a lot in advance!
[1] http://www.openldap.org/lists/openldap-technical/200810/msg00107.html