[Date Prev][Date Next] [Chronological] [Thread] [Top]

Ppolicy DIGEST-MD5 ignore expired password

Have a nice day.

I have to implement password policy in our OpenLdap. During testing futures
of ppolicy module I found that they ignore expired password when I authenticate
user by SASL DIGEST-MD5.
When I try on exprired account:

ldapwhoami -xD "cn=Kokos Velky,ou=TestUsers,ou=People,o=Ceske drahy,c=CZ"

the answer is: ldap_bind: Invalid credentials (49)
and in slapd log:

ppolicy_bind: Entry cn=Kokos Velky,ou=TestUsers,ou=People,o=Ceske
drahy,c=CZ has an expired password: 0 grace logins

But when I try

ldapwhoami -Y DIGEST-MD5 -U kokos1

the answer is
SASL/DIGEST-MD5 authentication started
SASL username: kokos1
SASL installing layers
dn:cn=kokos velky,ou=testusers,ou=people,o=ceske drahy,c=cz
Result: Success (0)

In slapd.conf I have

       "ldap:///o=Ceske drahy,c=CZ??sub?(&(uid=$1)(|(objectClass=inetOrgPerson)

What I am doing wrong?

Many thanks for advice.
Jiri Netolicky