Hi,
So how will you distinct between the cases? How user or admin will be able to know if that user is blocked?

Thanks,
Idan.

----- Reply message -----
From: "Dieter Klünter" <dieter@dkluenter.de>
To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Ldap password policy not throwing different errors
Date: Sun, Jan 5, 2014 21:33

Am Sun, 5 Jan 2014 15:13:51 +0000
schrieb Idan Fridman <idanf@cellebrite.com>:

>
> Hi,
>
> I use ppolicy overlay and enabled ppolicy_use_lockout to separate
> between invalid password and locked accounts.
>
>     database    bdb
>     suffix      "dc=openiam,dc=com"
>     rootdn      "cn=Manager,dc=openiam,dc=com"
>     rootpw      "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h"
>     # PPolicy Configuration
>     overlay ppolicy
>     ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com"
>     ppolicy_use_lockout
>     ppolicy_hash_cleartext
>
> I tried to lock user account by entering wrong password couple of
> times (pwdMaxFailure)
>
> The user is being locked but when I try to login again I still get
> the same error:
>
> Invalid credentials (49)
>
> Any idea why i am not getting diffrent error to disticnt between the
> cases?

1. there is no appropriate result message for password policy. RFC 4511
Section 4.1.9  defines all result messages and Appendix A provides in
brief a general description. 
2. In your particular case result 49 is a substitution in order to
prevent an unauthorized disclosure.


-Dieter

--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E

This e-mail and the information it contains may be privileged and/or confidential. It is intended solely for the use of the named recipient(s). If you are not the intended recipient you may not disclose, copy, distribute or retain any part of this message or attachments. If you have received this e-mail in error please notify the sender immediately [by clicking 'Reply'] and delete this e-mail.