ppolicy pwdMinLenght, pwdAccountLockedTime and pwdLockoutDuration don't work as supposed

[Theo Alves <supershow@gmail.com>]

Hello there,

    We have 40 machines on an educational informatics lab authenticating with LDAP. I am using python ldap module as management tool. I am experiencing two problems at now. The first one is when an user access ldap by python the ppolicy pwdMinLenght doesn't work. The user can freely put a password too short. That doesn't happen when using passwd. Check out the python code snip:

import ldap
dn = 'uid=%s,ou=People,dc=example,dc=com' % 'user1'
con = ldap.initialize('ldapi:///')
con.bind_s(dn, raw_input('Password: ')) #getting the present password
con.passwd_s(dn, None, '1')

   The to default_ppolicy entry pwdMinLenght is setted to 5, even so the code above works to regular users and they can put passwords too short. 

   The second thing is in the lab sometimes users should be disabled for time periods (2 weeks for instance). I guessed I could set pwdAccountLockedTime to now and pwdLockoutDuration to the duration and the user would be automatically unlocked after that time, but it doesn't look to work. I guess this directives are only valid when pwdFailureTime is setted by the authentication methods. Can someone confirm that I can't set manually pwdAccountLockedTime and pwdLockoutDuration to block user access to a determined period? What would be the alternatives?
    I hope I haven't missed the answers because a lack of English skills. I have "googled" a lot about that, but nothing useful came up. The mail list archives search in openldap-technical doesn't return anything even when I try ldap, or ppolicy. I browsed some month archives but got nothing by the e-mail subjects.

   Thanks in advance for any help and answers. I hope I have been understood and sorry about any mistakes I've made concerning the language. 

Theo

-- 
O Pensamento Governa o Universo

http://www.999thnight.com
http://www.unreversed.com