On 01/05/2014 09:30 PM, Idan Fridman wrote:
Hi, So how will you distinct between the cases? How user or admin will be able to know if that user is blocked?
Read draft-behera-ldap-password-policy. Additional ppolicy info is in the value of the control response, if any. A detailed description is provided in the draft (Section 9.1, AFAIR).
p.
Thanks, Idan.
----- Reply message ----- From: "Dieter Klünter" dieter@dkluenter.de To: "openldap-technical@openldap.org" openldap-technical@openldap.org Subject: Ldap password policy not throwing different errors Date: Sun, Jan 5, 2014 21:33
Am Sun, 5 Jan 2014 15:13:51 +0000 schrieb Idan Fridman idanf@cellebrite.com:
Hi,
I use ppolicy overlay and enabled ppolicy_use_lockout to separate between invalid password and locked accounts.
database bdb suffix "dc=openiam,dc=com" rootdn "cn=Manager,dc=openiam,dc=com" rootpw "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h" # PPolicy Configuration overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com" ppolicy_use_lockout ppolicy_hash_cleartextI tried to lock user account by entering wrong password couple of times (pwdMaxFailure)
The user is being locked but when I try to login again I still get the same error:
Invalid credentials (49)
Any idea why i am not getting diffrent error to disticnt between the cases?
- there is no appropriate result message for password policy. RFC 4511
Section 4.1.9 defines all result messages and Appendix A provides in brief a general description. 2. In your particular case result 49 is a substitution in order to prevent an unauthorized disclosure.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
This e-mail and the information it contains may be privileged and/or confidential. It is intended solely for the use of the named recipient(s). If you are not the intended recipient you may not disclose, copy, distribute or retain any part of this message or attachments. If you have received this e-mail in error please notify the sender immediately [by clicking 'Reply'] and delete this e-mail.