[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy (how to get hands on the password policy response)

To: OpenLDAP-software@OpenLDAP.org
Subject: ppolicy (how to get hands on the password policy response)
From: Jørgen Løkke <jorlokk@gmail.com>
Date: Sun, 15 Jan 2006 21:09:23 +0100
Content-disposition: inline
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=KIIoo+3WWZGKYrs6cQzrtOTC9/ZEV5nCFndIhf2C7eN+yt08uQTRSbwSJ+RAmtnCv0oV5W/2mzr7t5aq0XMPBKVKvIIPneAuQciWHViS4OeyaC+wTpD/XHJf2ZzLC9noCpJaOscuiv00vKP7Cai3SKlQu+5aReyYZ9lZzw62fA8=

I have enabled pwdMaxAge and the ppolicy correctly locks an account if
the the password's age is older than the given definition.
But when I bind to an account with an expired password I only get the
regular InvalidCredentials response. I want to be able to give the
user a more descriptive error message (like: Your password has
expired).

I have enabled ppolicy_use_lockout, but how can I get hands on the
password policy response?

The following log entries occour when i try to bind to an account with
a password which is about to expire / has expired:
Jan 13 13:24:57 foobar slapd[72391]: ppolicy_bind: Setting warning for
password expiry for uid=foobar,cn=Users,dc=foo,dc=bar = 89129 seconds
...
Jan 13 13:47:32 foobar slapd[72391]: ppolicy_bind: Entry
uid=foobar,cn=Users,dc=foo,dc=bar has an expired password: -1 grace
logins

Thanks in advance
Jørgen Løkke

Follow-Ups:
- Re: ppolicy (how to get hands on the password policy response)
  - From: Kevin Spicer <kevins@bmrb.co.uk>

Prev by Date: Re: LDAPv2 doesn't work in 2.3.17
Next by Date: Re: LDAPv2 doesn't work in 2.3.17
Index(es):
- Chronological
- Thread