Re: slapd 2.4.13: ppolicy_use_lockout not working as expected

[Buchan Milne <bgmilne@staff.telkomsa.net>]

----- "Cyril Grosjean" <cgrosjean@janua.fr> wrote:

> Hello,
> 
> I use the ppolicy overlay and it works fine for all the features I've
> tested but one:
> 
> I've added the ppolicy_use_lockout parameter in my slapd.conf, but I
> still get the err=49
> invalid credentials error message after 5 unsuccessfull
> authentification
> attempts (a few
> seconds elapse between each attempt)
> 
> I operate slapd 2.4.13 over OpenSuse 10.2
> 
> I can for example expire passwords, reset them or use the password
> history feature,
> but I can't figure out how to get an "account locked" message instead
> of
> "invalid credentials"
> when a user fails to log in more than 5 times.

Well, you probably actually want them to get a message telling them that their password has expired, *before* they get locked out (otherwise you need admin intervention anyway).

> 
> I've tested with different ldapsearch versions as well as with Apache
> LDAP Studio which seems
> to use at least some LDAP controls, so I don't think it's a client
> side
> problem.

Are you using the '-e ppolicy' option to ldapwhoami or similar ? Password policy requires the client to ask for, and interpret the password policy controls. So, most likely it *is* a client side problem.


[...]

> Any clue ?

Test with ldapwhoami, with the '-e ppolicy' options. If they work correctly, then this is not an OpenLDAP issue, and you should ask about pam_ldap password policy support on another list (e.g. OpenLDAP-technical) which allows pam_ldap questions.

Regards,
Buchan