On 10/20/2015 09:37 AM, Mitja Mihelič wrote:
Hi!
We are using using nsAccountLock=true to lock user accounts. We also
have dovecot authenticating users against the 389DS.
If we set nsAccountLock=true, then we get
Oct 20 14:39:30 SERVER dovecot: auth: Error:
ldap(USERNAME,193.X.Y.Z,<aaaaaaaaaaaaaaaa>): ldap_bind() failed:
Server is unwilling to perform
Oct 20 14:39:31 SERVER dovecot: auth:
ldap(USERNAME,193.X.Y.Z,<aaaaaaaaaaaaaaaa>): Falling back to expired
data from cache
Dovecot thinks the server is not working properly so it reads login
info from its cache and authentication succeeds.
Can I set 389DS to return a different response?
Something that says: "User is locked" or "Authentication failed"...
The server is returning an LDAP Error 53 (unwilling to perform) with a
message that states its locked ("Account inactivated. Contact system
administrator."), but dovecot is not returning this text to its client -
its only returning the error code(with the ldap description of that
error code).
Mark
Kind regards, Mitja
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
