[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7916) ppolicy doesn't set pwdAccountLockedTime

Full_Name: Anshuman
Version: 2.4.23
OS: RHEL 6.4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (


I am trying to get the ppolicy to lock account after N unsuccessful attempts. To
accomplish this, I defined the overlay policy in slapd.conf, and also attached
the pwdPolicySubentry to the user object.

It is able to detect the password policy, because the number of times
"pwdFailureTime" appears is always 1 less than the value I set for
"pwdMaxFailure" in the password policy.

So, if I set pwdMaxFailure=4, the count pwdFailureTime stops growing after 3.

However, the pwdAccountLockedTime is never set.

Up until release 2.3.x adding a rootdn entry to the slapd.conf solved this
issue. But today we are trying to upgrade to 2.4.23, and this "fix" no longer

Could someone please let me know what needs to be done to make this work?

-- slapd.conf---
# Load dynamic backend modules:
modulepath      /usr/lib64/openldap
moduleload      ppolicy.la
moduleload      auditlog.la

overlay ppolicy
ppolicy_default "cn=Standard,ou=Policies,dc=mycompany,dc=com"