Jan Kohnert schrieb: > I have a problem with ppolicy and got stuck finding a solution. I > configured slapd using the information from [1] trying to be able to lock > users. But anyway, the lock seems to be ignored: As soon as one tries to > log in, the pwdLockedTime agument es removed from the entry and I seem to > be too blind or dumb to see the reason why. > b079 /etc/openldap # ldapsearch -x -s base -b "cn=default, ou=policies, > dc=yyy, dc=zzz, dc=org" > pwdLockout: TRUE > pwdLockoutDuration: 900 I think, I got the problem: Setting the lockout time older than pwdLockoutDuration lets ppolicy ignore the lockout. That's just fine and as I configured. I just did not understand that one. Setting the account locktime to current time locks out the user (as just tested) correctly. So there comes the next question: Is there a way to lock out specific users permanently (other than creating a cronjob setting the lockout time new after 900s) or do I need to set pwdLockoutDuration to inf and so are forced to manually reset users whose accounts were tried to be cracked? -- MfG Jan
Attachment:
signature.asc
Description: This is a digitally signed message part.