[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap password policy not throwing different errors

Idan Fridman wrote:
So how will you distinct between the cases? How user or admin will be able to
know if that user is blocked?

Reread the slapo-ppolicy(5) manpage. It states quite clearly that ppolicy_use_lockout only affects the ppolicy response control. Your client must Bind using the ppolicy request control in order to generate this result code, and it must properly parse the ppolicy response control to see the actual code.


----- Reply message -----
From: "Dieter Klünter" <dieter@dkluenter.de>
To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Ldap password policy not throwing different errors
Date: Sun, Jan 5, 2014 21:33

Am Sun, 5 Jan 2014 15:13:51 +0000
schrieb Idan Fridman <idanf@cellebrite.com>:


I use ppolicy overlay and enabled ppolicy_use_lockout to separate
between invalid password and locked accounts.

    database    bdb
    suffix      "dc=openiam,dc=com"
    rootdn      "cn=Manager,dc=openiam,dc=com"
    rootpw      "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h"
    # PPolicy Configuration
    overlay ppolicy
    ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com"

I tried to lock user account by entering wrong password couple of
times (pwdMaxFailure)

The user is being locked but when I try to login again I still get
the same error:

Invalid credentials (49)

Any idea why i am not getting diffrent error to disticnt between the

1. there is no appropriate result message for password policy. RFC 4511
Section 4.1.9  defines all result messages and Appendix A provides in
brief a general description.
2. In your particular case result 49 is a substitution in order to
prevent an unauthorized disclosure.


Dieter Klünter | Systemberatung
GPG Key ID:DA147B05

This e-mail and the information it contains may be privileged and/or
confidential. It is intended solely for the use of the named recipient(s). If
you are not the intended recipient you may not disclose, copy, distribute or
retain any part of this message or attachments. If you have received this
e-mail in error please notify the sender immediately [by clicking 'Reply'] and
delete this e-mail.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/