Hello,
I have the following configuration for my overlay ppolicy (OpenLDAP 2.6) It's a testing system!
--------- dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=net olcPPolicyHashCleartext: FALSE olcPPolicyForwardUpdates: FALSE olcPPolicyUseLockout: TRUE ---------
My default-policy: --------- dn: cn=default,ou=policies,dc=example,dc=net objectClass: pwdPolicy objectClass: person cn: default pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 1440 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdFailureCountInterval: 300 pwdMaxFailure: 5 pwdMinLength: 8 sn: OurDefaultPolicy pwdLockoutDuration: 120 pwdMustChange: TRUE pwdMaxAge: 2000 ---------
Everything works, but I don't get a different message if the account is locked because of to many bad locking attempts. The manpage of slapo-ppolicy telling me: ppolicy_use_lockout = TRUE then a AccountLocked is shown. But I still get: Permission denied, please try again. if I'm giving the correct password after the account is locked because of to many bad locking attempts.
Did I miss something? If "yes" what?
Thank's
Stefan
Hello,
To have explicite error message, you have to use LDAP v3 connection and enable Passsword Policy Server Control. For instance, with ldapsearch, you have to use "-P 3 -e=ppolicy" parameters.
Regards,
Le 20/02/2023 à 17:45, Stefan Kania a écrit :
Hello,
I have the following configuration for my overlay ppolicy (OpenLDAP 2.6) It's a testing system!
dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=net olcPPolicyHashCleartext: FALSE olcPPolicyForwardUpdates: FALSE olcPPolicyUseLockout: TRUE
My default-policy:
dn: cn=default,ou=policies,dc=example,dc=net objectClass: pwdPolicy objectClass: person cn: default pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 1440 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdFailureCountInterval: 300 pwdMaxFailure: 5 pwdMinLength: 8 sn: OurDefaultPolicy pwdLockoutDuration: 120 pwdMustChange: TRUE pwdMaxAge: 2000
Everything works, but I don't get a different message if the account is locked because of to many bad locking attempts. The manpage of slapo-ppolicy telling me: ppolicy_use_lockout = TRUE then a AccountLocked is shown. But I still get: Permission denied, please try again. if I'm giving the correct password after the account is locked because of to many bad locking attempts.
Did I miss something? If "yes" what?
Thank's
Stefan
openldap-technical@openldap.org
-
Benjamin Renard -
Stefan Kania