Hello,

To have explicite error message, you have to use LDAP v3 connection and enable Passsword Policy Server Control. For instance, with ldapsearch, you have to use "-P 3 -e=ppolicy" parameters.

Regards,

Le 20/02/2023 à 17:45, Stefan Kania a écrit :

Hello,

I have the following configuration for my overlay ppolicy (OpenLDAP 2.6)
It's a testing system!

---------
dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=net
olcPPolicyHashCleartext: FALSE
olcPPolicyForwardUpdates: FALSE
olcPPolicyUseLockout: TRUE
---------

My default-policy:
---------
dn: cn=default,ou=policies,dc=example,dc=net
objectClass: pwdPolicy
objectClass: person
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdExpireWarning: 1440
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdFailureCountInterval: 300
pwdMaxFailure: 5
pwdMinLength: 8
sn: OurDefaultPolicy
pwdLockoutDuration: 120
pwdMustChange: TRUE
pwdMaxAge: 2000
---------

Everything works, but I don't get a different message if the account is locked because of to many bad locking attempts.
The manpage of slapo-ppolicy telling me:
ppolicy_use_lockout = TRUE then a AccountLocked is shown. But I still get:
Permission denied, please try again.
if I'm giving the correct password after the account is locked because of to many bad locking attempts.

Did I miss something? If "yes" what?

Thank's

Stefan

-- 
Benjamin Renard                  -                   Easter-eggs
44-46 rue de l'Ouest  -  75014 Paris   -   France -  Métro Gaité
Phone: +33 (0) 1 43 35 00 37   -  mailto:brenard@easter-eggs.com