HI!
I'm using back-sock as overlay to intercept bind *requests* and send them to an external listener which returns success(0) or invalidCredentials(49).
I'd like to avoid having to deal with operational attributes in the user's entry. Therefore in case of invalidCredentials(49) I'd like slapo-ppolicy to add attribute value to 'pwdFailureTime'.
The order of overlays in slapd.conf is:
overlay sock sockops bind
overlay ppolicy
overlay lastbind
overlay rwm
From my understand the requests go from bottom up
rwm -> lastbind -> ppolicy -> back-sock .....continue...... returns success(0) or invalidCredentials(49)
and vice versa the response go through
back-sock -> ppolicy -> lastbind -> rwm
It partially works:
(/) I see update of 'authTimestamp' by slapo-lastbind.
(/) If back-sock listener returns success(0) slapo-ppolicy correctly checks password expiry in the response chain and returns invalidCredentials(49) with appropriate ppolicy response controls.
(x) But the attribute 'pwdFailureTime' is not set in case back-sock listener returns invalidCredentials(49).
Reading source of ppolicy_bind_response() one of the first things is to check for rs->sr_err == LDAP_INVALID_CREDENTIALS and add another 'pwdFailureTime' value.
So it should work. But it doesn't. Any clue what I'm doing wrong?
Ciao, Michael.
openldap-technical@openldap.org