On 06/01/2012 21:29, Chris Jacobs wrote:
Your example shows only 2 pwdFailureTime entries and your policy indicates "pwdMaxFailure: 3".
Hi Chris,
No matter how many failed attempts I make, it never appears as locked:
I now have: pwdFailureTime: 20120106193928Z pwdFailureTime: 20120106194040Z pwdFailureTime: 20120107112658Z pwdFailureTime: 20120107112705Z
and still no pwdAccountLockedTime.
Is anybody observing the same behavior ?
Your initial mail does not show a 'ppolicy_default' in slapd.conf. I believe you need to create a default ppolicy entry in LDAP, and specify it in slapd.conf:
# Password Policy
overlay ppolicy
ppolicy_default "cn=default,ou=ppolicy,dc=local"
Without the default, or if you want a user to use something other than default, you'll need to manually set the pwdPolicySubentry for the user. In you case:
dn: uid=lcaron_99,ou=People,dc=local
changetype: modify
replace: pwdPolicySubentry
pwdPolicySubentry: cn=lcaron_99,ou=ppolicy,dc=local
~/joe