[Date Prev][Date Next]
Re: slapd 2.4.13: ppolicy_use_lockout not working as expected
Clowser, Jeff wrote:
I can for example expire passwords, reset them or use the password
but I can't figure out how to get an "account locked" message instead
when a user fails to log in more than 5 times.
That's by intention (or should be). You never want to differentiate to
client the difference between the bind failing because of invalid
and failing because the account is locked, for security reasons.
Yes. The slapo-ppolicy(5) manpage already discusses this.
The manpage also discusses the AccountLocked error code - it is returned in
the PasswordPolicy response control, not in the LDAP Result code. As the
manpage clearly states, "A client will always receive an LDAP
InvalidCredentials response ..."
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/