[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd 2.4.13: ppolicy_use_lockout not working as expected


I use the ppolicy overlay and it works fine for all the features I've
tested but one:

I've added the ppolicy_use_lockout parameter in my slapd.conf, but I
still get the err=49
invalid credentials error message after 5 unsuccessfull authentification
attempts (a few
seconds elapse between each attempt)

I operate slapd 2.4.13 over OpenSuse 10.2

I can for example expire passwords, reset them or use the password
history feature,
but I can't figure out how to get an "account locked" message instead of
"invalid credentials"
when a user fails to log in more than 5 times.

I've tested with different ldapsearch versions as well as with Apache
LDAP Studio which seems
to use at least some LDAP controls, so I don't think it's a client side

I've tried to set "ppolicy_use_lockout" to 1 or true or on as well as
let it without value, but it's
doesn't change anything, excepted that unauthorized values prevent slapd
from starting.

Here's what I see in "-d -1 mode"

<= acl_access_allowed: granted to database root
bdb_modify_internal: replace pwdAccountLockedTime
bdb_modify_internal: add pwdFailureTime
bdb_modify_internal: 20 modify/add: pwdFailureTime: value #0 already exists
bdb_modify: modify failed (20)
send_ldap_result: conn=7 op=0 p=3
send_ldap_result: err=20 matched="" text="modify/add: pwdFailureTime:
value #0 already exists"
send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 25
  0000:  30 0c 02 01 01 61 07 0a  01 31 04 00 04 00         0....a...1....
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 31 04 00 04 00         0....a...1....
conn=7 op=0 RESULT tag=97 err=49 text=
daemon: activity on:

My config is as follows:

database bdb

overlay ppolicy
ppolicy_default "cn=default,ou=policies,.....

And my policy is as follows:

dn: cn=default,ou=policies,....
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 86400
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: default

Any clue ?


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature