Hi everyone,
I'm using openldap-2.4.8 and cyrus-sasl-2.1.22. I've enabled password policy in my OpenLdap Server and I've seen that when I authenticate myself using SASL DIGEST-MD5 I can make any searches even if my account is locked. In fact I have the following results:
./ldapsearch -b 'uid=apatrissi,ou=people,dc=my-domain,dc=com' -D 'uid=apatrissi,ou=people,dc=my-domain,dc=com' -x -W -e ppolicy '(objectClass=*)' Enter LDAP Password: ldap_bind: Invalid credentials (49); Account locked
./ldapsearch -b 'uid=apatrissi,ou=people,dc=my-domain,dc=com' -W -Y DIGEST-MD5 -U apatrissi '(objectClass=*)' DIGEST-MD5 -U apatrissi '(objectClass=*)' Enter LDAP Password: SASL/DIGEST-MD5 authentication started SASL username: apatrissi SASL SSF: 128 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <uid=apatrissi,ou=people,dc=my-domain,dc=com> with scope subtree # filter: (objectClass=*) # requesting: ALL #
# apatrissi, people, my-domain.com dn: uid=apatrissi,ou=people,dc=my-domain,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson ou: people cn: Alessandro Patrissi givenName: Alessandro sn: Patrissi uid: apatrissi userPassword:: YWxleA== mail: alessandro.patrissi@commprove.com telephoneNumber: +0039 description: test LDAP
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
Where I can look to solve the problem?
Thanks a lot,
Alessandro Patrissi
openldap-technical@openldap.org