[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ppolicy does not seem to work

Jan Kohnert schrieb:
> I have a problem with ppolicy and got stuck finding a solution. I
> configured slapd using the information from [1] trying to be able to lock
> users. But anyway, the lock seems to be ignored: As soon as one tries to
> log in, the pwdLockedTime agument es removed from the entry and I seem to
> be too blind or dumb to see the reason why.

> b079 /etc/openldap # ldapsearch -x -s base -b "cn=default, ou=policies,
> dc=yyy, dc=zzz, dc=org"

> pwdLockout: TRUE
> pwdLockoutDuration: 900

I think, I got the problem: Setting the lockout time older than 
pwdLockoutDuration lets ppolicy ignore the lockout. That's just fine and as I 
configured. I just did not understand that one.

Setting the account locktime to current time locks out the user (as just 
tested) correctly.

So there comes the next question: Is there a way to lock out specific users 
permanently (other than creating a cronjob setting the lockout time new after 
900s) or do I need to set pwdLockoutDuration to inf and so are forced to 
manually reset users whose accounts were tried to be cracked?

MfG Jan

Attachment: signature.asc
Description: This is a digitally signed message part.