HI!
I'm using back-sock as overlay to intercept bind *requests* and send
them to an external listener which returns success(0) or
invalidCredentials(49).
I'd like to avoid having to deal with operational attributes in the
user's entry. Therefore in case of invalidCredentials(49) I'd like
slapo-ppolicy to add attribute value to 'pwdFailureTime'.
The order of overlays in slapd.conf is:
overlay sock
sockops bind
overlay ppolicy
overlay lastbind
overlay rwm
From my understand the requests go from bottom up
rwm -> lastbind -> ppolicy -> back-sock
.....continue...... returns success(0)
or invalidCredentials(49)
and vice versa the response go through
back-sock -> ppolicy -> lastbind -> rwm
It partially works:
(/) I see update of 'authTimestamp' by slapo-lastbind.
(/) If back-sock listener returns success(0) slapo-ppolicy correctly
checks password expiry in the response chain and returns
invalidCredentials(49) with appropriate ppolicy response controls.
(x) But the attribute 'pwdFailureTime' is not set in case back-sock
listener returns invalidCredentials(49).
Reading source of ppolicy_bind_response() one of the first things is to
check for rs->sr_err == LDAP_INVALID_CREDENTIALS and add another
'pwdFailureTime' value.
So it should work. But it doesn't. Any clue what I'm doing wrong?
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature