Hello,
To have explicite error message, you have to use LDAP v3 connection and enable Passsword Policy Server Control. For instance, with ldapsearch, you have to use "-P 3 -e=ppolicy" parameters.
Regards,
Le 20/02/2023 à 17:45, Stefan Kania a écrit :
Hello,
I have the following configuration for my overlay ppolicy (OpenLDAP 2.6) It's a testing system!
dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=net olcPPolicyHashCleartext: FALSE olcPPolicyForwardUpdates: FALSE olcPPolicyUseLockout: TRUE
My default-policy:
dn: cn=default,ou=policies,dc=example,dc=net objectClass: pwdPolicy objectClass: person cn: default pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 1440 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdFailureCountInterval: 300 pwdMaxFailure: 5 pwdMinLength: 8 sn: OurDefaultPolicy pwdLockoutDuration: 120 pwdMustChange: TRUE pwdMaxAge: 2000
Everything works, but I don't get a different message if the account is locked because of to many bad locking attempts. The manpage of slapo-ppolicy telling me: ppolicy_use_lockout = TRUE then a AccountLocked is shown. But I still get: Permission denied, please try again. if I'm giving the correct password after the account is locked because of to many bad locking attempts.
Did I miss something? If "yes" what?
Thank's
Stefan