Hi, We are planning to use OpenLDAP as a proxy for some users in our Active Directory servers, using remoteauth overlay. We want this OpenLDAP instance to also implement an account lockout policy, preventing the lockout on our internal Active Directory servers. But there seems to be an incompatibility between remoteauth and ppolicy overlays : remoteauth won't remote authenticate a user if local userPassword attribute exists, while ppolicy overlay needs this attribute. Could there be a configuration parameter in ppolicy to allow lockout checks/modifications (which seemed to be the default behavior of OpenLDAP before ITS#7089) ? I can provide a patch if allowed. Thanks by advance, Best regards, Thierry
Hi Thierry, yes, this seems like an unsupported combination of features. If you were to put this in, now that ITS#9343 has been merged (staged for 2.7), it might be possible to make a distinction between a default policy and one that was applied explicitly through a rule or pwdPolicySubentry.
(In reply to Ondřej Kuzník from comment #1) > Hi Thierry, > yes, this seems like an unsupported combination of features. If you were to > put this in, now that ITS#9343 has been merged (staged for 2.7), it might be > possible to make a distinction between a default policy and one that was > applied explicitly through a rule or pwdPolicySubentry. Hi Ondřej, Thanks for your answer. Combining remoteauth and ppolicy with this new feature from ITS#9343 may be a real plus for security and protection of internal directories, providing lockout capabilities. It's really easier to configure and use than the almost equivalent solution with saslauthd, and allows to have multiple remote domains simply. If you estimate this an interesting feature, I already have a fully functional patch that declares a new configuration option (ppolicy_always_check), which makes ppolicy always checks for lockout. May I submit it ? Best regards, Thierry
Hi Thierry, have you tested the code that's in master to check whether it actually covers your usecase?