[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd 2.4.13: ppolicy_use_lockout not working as expected

To: "Clowser, Jeff" <jeff_clowser@fanniemae.com>
Subject: Re: slapd 2.4.13: ppolicy_use_lockout not working as expected
From: Howard Chu <hyc@symas.com>
Date: Fri, 30 Jan 2009 17:12:16 -0800
Cc: Cyril Grosjean <cgrosjean@janua.fr>, openldap-software@openldap.org
In-reply-to: <C65F80C878CCF24A9BC19646DE2DCA62021C0691@EXVG.fanniemae.com>
References: <4983573E.3020302@janua.fr> <C65F80C878CCF24A9BC19646DE2DCA62021C0691@EXVG.fanniemae.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.2a1pre) Gecko/20081227 SeaMonkey/2.0a1pre Firefox/3.0.3

Clowser, Jeff wrote:

I can for example expire passwords, reset them or use the password
history feature,
but I can't figure out how to get an "account locked" message instead

of

"invalid credentials"
when a user fails to log in more than 5 times.


That's by intention (or should be).  You never want to differentiate to
the
client the difference between the bind failing because of invalid
credentials
and failing because the account is locked, for security reasons.


Yes. The slapo-ppolicy(5) manpage already discusses this.

The manpage also discusses the AccountLocked error code - it is returned in the PasswordPolicy response control, not in the LDAP Result code. As the manpage clearly states, "A client will always receive an LDAP InvalidCredentials response ..." -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

References:
- slapd 2.4.13: ppolicy_use_lockout not working as expected
  - From: Cyril Grosjean <cgrosjean@janua.fr>
- RE: slapd 2.4.13: ppolicy_use_lockout not working as expected
  - From: "Clowser, Jeff" <jeff_clowser@fanniemae.com>

Prev by Date: ACL Question
Next by Date: Re: ACL Question
Index(es):
- Chronological
- Thread