Hi,
I use ppolicy overlay and enabled ppolicy_use_lockout to separate between invalid password and locked accounts.
database bdb suffix "dc=openiam,dc=com" rootdn "cn=Manager,dc=openiam,dc=com" rootpw "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h" # PPolicy Configuration overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
I tried to lock user account by entering wrong password couple of times (pwdMaxFailure)
The user is being locked but when I try to login again I still get the same error:
Invalid credentials (49)
Any idea why i am not getting diffrent error to disticnt between the cases?
thanks, ray. This e-mail and the information it contains may be privileged and/or confidential. It is intended solely for the use of the named recipient(s). If you are not the intended recipient you may not disclose, copy, distribute or retain any part of this message or attachments. If you have received this e-mail in error please notify the sender immediately [by clicking 'Reply'] and delete this e-mail.
Am Sun, 5 Jan 2014 15:13:51 +0000 schrieb Idan Fridman idanf@cellebrite.com:
Hi,
I use ppolicy overlay and enabled ppolicy_use_lockout to separate between invalid password and locked accounts.
database bdb suffix "dc=openiam,dc=com" rootdn "cn=Manager,dc=openiam,dc=com" rootpw "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h" # PPolicy Configuration overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
I tried to lock user account by entering wrong password couple of times (pwdMaxFailure)
The user is being locked but when I try to login again I still get the same error:
Invalid credentials (49)
Any idea why i am not getting diffrent error to disticnt between the cases?
1. there is no appropriate result message for password policy. RFC 4511 Section 4.1.9 defines all result messages and Appendix A provides in brief a general description. 2. In your particular case result 49 is a substitution in order to prevent an unauthorized disclosure.
-Dieter
Hi, So how will you distinct between the cases? How user or admin will be able to know if that user is blocked?
Thanks, Idan.
----- Reply message ----- From: "Dieter Klünter" dieter@dkluenter.de To: "openldap-technical@openldap.org" openldap-technical@openldap.org Subject: Ldap password policy not throwing different errors Date: Sun, Jan 5, 2014 21:33
Am Sun, 5 Jan 2014 15:13:51 +0000 schrieb Idan Fridman idanf@cellebrite.com:
Hi,
I use ppolicy overlay and enabled ppolicy_use_lockout to separate between invalid password and locked accounts.
database bdb suffix "dc=openiam,dc=com" rootdn "cn=Manager,dc=openiam,dc=com" rootpw "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h" # PPolicy Configuration overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
I tried to lock user account by entering wrong password couple of times (pwdMaxFailure)
The user is being locked but when I try to login again I still get the same error:
Invalid credentials (49)
Any idea why i am not getting diffrent error to disticnt between the cases?
1. there is no appropriate result message for password policy. RFC 4511 Section 4.1.9 defines all result messages and Appendix A provides in brief a general description. 2. In your particular case result 49 is a substitution in order to prevent an unauthorized disclosure.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
This e-mail and the information it contains may be privileged and/or confidential. It is intended solely for the use of the named recipient(s). If you are not the intended recipient you may not disclose, copy, distribute or retain any part of this message or attachments. If you have received this e-mail in error please notify the sender immediately [by clicking 'Reply'] and delete this e-mail.
Idan Fridman wrote:
Hi, So how will you distinct between the cases? How user or admin will be able to know if that user is blocked?
Reread the slapo-ppolicy(5) manpage. It states quite clearly that ppolicy_use_lockout only affects the ppolicy response control. Your client must Bind using the ppolicy request control in order to generate this result code, and it must properly parse the ppolicy response control to see the actual code.
Thanks, Idan.
----- Reply message ----- From: "Dieter Klünter" dieter@dkluenter.de To: "openldap-technical@openldap.org" openldap-technical@openldap.org Subject: Ldap password policy not throwing different errors Date: Sun, Jan 5, 2014 21:33
Am Sun, 5 Jan 2014 15:13:51 +0000 schrieb Idan Fridman idanf@cellebrite.com:
Hi,
I use ppolicy overlay and enabled ppolicy_use_lockout to separate between invalid password and locked accounts.
database bdb suffix "dc=openiam,dc=com" rootdn "cn=Manager,dc=openiam,dc=com" rootpw "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h" # PPolicy Configuration overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
I tried to lock user account by entering wrong password couple of times (pwdMaxFailure)
The user is being locked but when I try to login again I still get the same error:
Invalid credentials (49)
Any idea why i am not getting diffrent error to disticnt between the cases?
- there is no appropriate result message for password policy. RFC 4511
Section 4.1.9 defines all result messages and Appendix A provides in brief a general description. 2. In your particular case result 49 is a substitution in order to prevent an unauthorized disclosure.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
This e-mail and the information it contains may be privileged and/or confidential. It is intended solely for the use of the named recipient(s). If you are not the intended recipient you may not disclose, copy, distribute or retain any part of this message or attachments. If you have received this e-mail in error please notify the sender immediately [by clicking 'Reply'] and delete this e-mail.
On 01/05/2014 09:30 PM, Idan Fridman wrote:
Hi, So how will you distinct between the cases? How user or admin will be able to know if that user is blocked?
Read draft-behera-ldap-password-policy. Additional ppolicy info is in the value of the control response, if any. A detailed description is provided in the draft (Section 9.1, AFAIR).
p.
Thanks, Idan.
----- Reply message ----- From: "Dieter Klünter" dieter@dkluenter.de To: "openldap-technical@openldap.org" openldap-technical@openldap.org Subject: Ldap password policy not throwing different errors Date: Sun, Jan 5, 2014 21:33
Am Sun, 5 Jan 2014 15:13:51 +0000 schrieb Idan Fridman idanf@cellebrite.com:
Hi,
I use ppolicy overlay and enabled ppolicy_use_lockout to separate between invalid password and locked accounts.
database bdb suffix "dc=openiam,dc=com" rootdn "cn=Manager,dc=openiam,dc=com" rootpw "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h" # PPolicy Configuration overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
I tried to lock user account by entering wrong password couple of times (pwdMaxFailure)
The user is being locked but when I try to login again I still get the same error:
Invalid credentials (49)
Any idea why i am not getting diffrent error to disticnt between the cases?
- there is no appropriate result message for password policy. RFC 4511
Section 4.1.9 defines all result messages and Appendix A provides in brief a general description. 2. In your particular case result 49 is a substitution in order to prevent an unauthorized disclosure.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
This e-mail and the information it contains may be privileged and/or confidential. It is intended solely for the use of the named recipient(s). If you are not the intended recipient you may not disclose, copy, distribute or retain any part of this message or attachments. If you have received this e-mail in error please notify the sender immediately [by clicking 'Reply'] and delete this e-mail.
openldap-technical@openldap.org