RE: slapd 2.4.13: ppolicy_use_lockout not working as expected

["Clowser, Jeff" <jeff_clowser@fanniemae.com>]

>I can for example expire passwords, reset them or use the password
>history feature,
>but I can't figure out how to get an "account locked" message instead
of
>"invalid credentials"
>when a user fails to log in more than 5 times.

That's by intention (or should be).  You never want to differentiate to
the
client the difference between the bind failing because of invalid
credentials
and failing because the account is locked, for security reasons.

Returning "account is locked" instead of "invalid credentials" simply
tells an attacker that any further tries is a waste of time, can be used
to know when to continue an attack (esp if the account unlocks after a
bit
of time, in which it also tells them how long the lockout is, so they
can
tune their attack to go right up to the limit and stop, allowing a more
successful attack, etc).

By returning invalid credentials after the account is locked, you don't 
give an attacker more info to aid in his attack.

This is the same reason why login pages should never ever say things
like
"user doesn't exist", "password was wrong", "account is locked", etc - a
well 
designed/secure login page will only say that whatever credentials were
supplied are not valid for any unsuccessful login case.

Any other response gives away too much information.

 - Jeff