[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7916) ppolicy doesn't set pwdAccountLockedTime

To: openldap-its@OpenLDAP.org
Subject: (ITS#7916) ppolicy doesn't set pwdAccountLockedTime
From: anshman.osc@gmail.com
Date: Wed, 06 Aug 2014 10:26:58 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Anshuman
Version: 2.4.23
OS: RHEL 6.4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (198.241.211.15)


Hello,

I am trying to get the ppolicy to lock account after N unsuccessful attempts. To
accomplish this, I defined the overlay policy in slapd.conf, and also attached
the pwdPolicySubentry to the user object.

It is able to detect the password policy, because the number of times
"pwdFailureTime" appears is always 1 less than the value I set for
"pwdMaxFailure" in the password policy.

So, if I set pwdMaxFailure=4, the count pwdFailureTime stops growing after 3.

However, the pwdAccountLockedTime is never set.

Up until release 2.3.x adding a rootdn entry to the slapd.conf solved this
issue. But today we are trying to upgrade to 2.4.23, and this "fix" no longer
works.

Could someone please let me know what needs to be done to make this work?

-- slapd.conf---
# Load dynamic backend modules:
modulepath      /usr/lib64/openldap
moduleload      ppolicy.la
moduleload      auditlog.la

overlay ppolicy
ppolicy_default "cn=Standard,ou=Policies,dc=mycompany,dc=com"
ppolicy_use_lockout

Prev by Date: Re: (ITS#7906) segv when changing olcDbDirectory with ppolicy running
Next by Date: Re: (ITS#7916) ppolicy doesn't set pwdAccountLockedTime
Index(es):
- Chronological
- Thread