[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: WARNING: No dynamic config support for overlay ppolicy?

You wrote: 
>> It would help to:
>> 1)provide the contents of your ppolicy_default 
>> 2)explain exactly what is not working

Here is the test policy I have in the directory.

dn: cn=test,ou=portal,ou=policies,dc=ttpua,dc=portal
objectClass: pwdPolicy
objectClass: top
objectClass: device
cn: test
pwdAttribute: userPassword
pwdMaxAge: 360
pwdExpireWarning: 120
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 60
pwdFailureCountInterval: 120
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
pwdGraceAuthNLimit: 3
structuralObjectClass: device
entryUUID: dde41790-ddb0-102a-9d8f-2524a04c2d05
creatorsName: cn=scoobydoo,dc=ttpua,dc=portal
modifiersName: cn=scoobydoo,dc=ttpua,dc=portal
createTimestamp: 20060921113420Z
modifyTimestamp: 20060921113420Z
entryCSN: 20060921113420Z#000000#00#000000

What I'm trying to do is just verify that the directory server is
enforcing my policy of login failures and will lock the account out
after the specified number of attempts. As I said before, this is
exactly whats done in one of the tests when one runs 'make test' in the
source code of openldap after it's built

I run:

./ldapsearch -x -b "dc=ttpua,dc=portal" -P 3 -LLL -e ppolicy -h
localhost -D cn=tuser,ou=testing,ou=portal,ou=users,dc=ttpua,dc=portal
-w badpassword 

Three times. According to the test policy, the account should be locked

userPassword:: e1NIQX1XNnBoNU1tNVB6OEdnaVVMYlBnekczN21qOWc9
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
sn: User
cn: tuser
structuralObjectClass: inetOrgPerson
entryUUID: 15847d74-3bf4-102b-912f-2d95986cd7a9
creatorsName: cn=scoobydoo,dc=ttpua,dc=portal
createTimestamp: 20070119103219Z
pwdPolicySubentry: cn=test,ou=portal,ou=policies,dc=ttpua,dc=portal
entryCSN: 20070119103245Z#000000#00#000000
modifiersName: cn=scoobydoo,dc=ttpua,dc=portal
modifyTimestamp: 20070119103245Z

I run the same ldap search for the forth time with the correct password,
I'm able to log in - which I thought I shouldn't be able to do. So I
clearly am missing something. Can anyone shed some light on what that
may be?


Errol Neal