[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Operational attribute pwdFailureTime not being added to entries

To: openldap-software@openldap.org
Subject: Re: Operational attribute pwdFailureTime not being added to entries
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Fri, 14 Mar 2008 13:03:04 +0200
Cc: Ryan Steele <rsteele@archer-group.com>
Content-disposition: inline
In-reply-to: <47D9A6AD.2060204@archer-group.com>
References: <47D9A6AD.2060204@archer-group.com>
User-agent: KMail/1.9.7

On Friday 14 March 2008 00:11:57 Ryan Steele wrote:
> Hello,
>
> First let me thank the gracious folks on this list who have lent their
> advice to me on my path towards implementing ppolicy.  I'm making
> progress; I can reject new passwords based on password history, and
> reject weak passwords.  However, I'm having a bit of a time trying to
> get the lockouts to work.  My policy is defined as:
>
> 56 cn=Password Policy,ou=Policies,dc=example,dc=com
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> cn: Password Policy
> pwdAttribute: userPassword
> pwdMaxAge: 3888000
> pwdMinLength: 6
> pwdExpireWarning: 432000
> pwdFailureCountInterval: 0
> pwdMustChange: FALSE
> pwdAllowUserChange: TRUE
> pwdSafeModify: TRUE
> pwdLockout: TRUE
> pwdCheckQuality: 1
> pwdGraceAuthNLimit: 0
> pwdInHistory: 6
> pwdLockoutDuration: 60
> pwdMaxFailure: 3
>
>
> However, even after many failure attempts, I see no pwdFailureTime
> attributes in the offending user's entry:

This worked without any complications for me (on various versions of 2.3, most 
recently 2.3.34, and currently 2.3.40).

How are you testing?

Regards,
Buchan

References:
- Operational attribute pwdFailureTime not being added to entries
  - From: Ryan Steele <rsteele@archer-group.com>

Prev by Date: Re: Grace period for inactive accounts?
Next by Date: Re: syncrepl not syncing [ CSN older or equal to ctx ]
Index(es):
- Chronological
- Thread