[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap bind and password policy

To: openldap-technical@openldap.org
Subject: Re: ldap bind and password policy
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 5 Jul 2010 09:59:56 +0100
Cc: Christian Bösch <boesch@fhv.at>, Chris Jacobs <Chris.Jacobs@apollogrp.edu>
In-reply-to: <4F423BE9-BB2A-4BB1-B67E-FD1F43C2D1C6@fhv.at>
References: <6C447584419BFE4E83D46E88F8131486323B659DB2@EXCH07-05.apollogrp.edu> <4F423BE9-BB2A-4BB1-B67E-FD1F43C2D1C6@fhv.at>
User-agent: KMail/1.12.4 (Linux/2.6.31.13-desktop-1mnb; KDE/4.3.5; x86_64; ; )

On Monday, 5 July 2010 08:35:02 Christian Bösch wrote:
> now i have tested this and got the following conclusion:
> 
> ppolicy_forward TRUE on the consumer:
> everything is well synced
> ldapsearch on the consumer with wrong binding password gets search results.
> not so on the provider. here i get ldap_bind: Invalid credentials (49)

So, the new feature does not seem to work correctly. Has someone filed an ITS?

> ppolicy_forward FALSE on the consumer:
> ldapsearch with wrong password results on both machines in invalid
>  credentials. i'm wondering that pwdHistory is synced well however...

pwdHistory can only be updated on the provider, so this is not a concern.

> pwdFailureTime is only synced from provider to consumer. if failed
>  authentication takes place on the consumer, then pwdFailureTime is added
>  only on the consumer locally which is a problem if i want to use lockout.

This is the same as the behaviour prior to this feature. There are 
workarounds.

Regards,
Buchan

References:
- Re: ldap bind and password policy
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
- Re: ldap bind and password policy
  - From: Christian Bösch <boesch@fhv.at>

Prev by Date: Re: Expired password allowed in via pwdGraceAuthNLimit w/o warning to user
Next by Date: Re: meta setup
Index(es):
- Chronological
- Thread