[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7089) ppolicy adds PWDFAILURETIME to organizationalUnit

Full_Name: Noel Köthe
Version: 2.4.25
OS: Debian GNU/Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (


using the ppolicy overlay with no special options:

overlay ppolicy
ppolicy_default "cn=ppolicy,dc=domain,dc=lan"

objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
cn: ppolicy
pwdMaxAge: 2592000
pwdExpireWarning: 3600
pwdMaxFailure: 5
pwdLockout: TRUE
pwdMustChange: TRUE
pwdMinLength: 6
pwdSafeModify: FALSE
pwdAttribute: userPassword

I'm scanning the LDAP data for PWDFAILURETIME attributes from time to time and
found the following ou with this attribute (slapcat output):

dn: ou=test,dc=domain,dc=lan
objectClass: organizationalUnit
ou: test
structuralObjectClass: organizationalUnit
entryUUID: ad5a6bc6-8a9c-1030-810d-db1b7d10e7b5
creatorsName: cn=admin,dc=domain,dc=lan
createTimestamp: 20111014104028Z
PWDFAILURETIME: 20111115101034Z
PWDFAILURETIME: 20111115101036Z
PWDFAILURETIME: 20111115101039Z
PWDFAILURETIME: 20111115111624Z
PWDFAILURETIME: 20111115111629Z
entryCSN: 20111115111629.327963Z#000000#000#000000
modifiersName: cn=admin,dc=domain,dc=lan
modifyTimestamp: 20111115111629Z

The PWDFAILURETIME on an organizationalUnit were created by:
$ ldapsearch -x -W -D ou=test,dc=domain,dc=lan
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)

IMHO it is a bug that the ppolicy adds the PWDFAILURETIME attribute to DN's
which don't have a userPassword attribute and cannot get one.

Do you aggree?

Thanks for your answer.


  Noel Köthe