Yes, i recreated the user after putting the overly in the config.
-----Original Message-----
From: Adam Leach [mailto:[EMAIL PROTECTED]
Sent: Friday, August 15, 2008 10:46 AM
To: DiSciascio, Paul
Cc: [EMAIL PROTECTED];
openldap-software@openldap.org
Subject: Re: [Probable SPAM] Re: ppolicy password lockout
Did you add this user _after_ putting the overlay ppolicy in
your config or before? In my past experience only entries that were
added after the fact were affected.
On Fri, Aug 15, 2008 at 9:12 AM, <[EMAIL PROTECTED]> wrote:
Here are the results after multiple bad attempts to bind
to the LDAP
server.
Additionally, I changed the password for the user before
I started, and
I don't see attributes related to that either
[EMAIL PROTECTED]:~> ldapsearch -D
"cn=manager,dc=pjm,dc=com" -Wx -b
"dc=pjm,dc=com" "(uid=testuser)" +
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=pjm,dc=com> with scope subtree
# filter: (uid=testuser)
# requesting: +
#
# testuser, People, Test, External, pjm.com
dn:
uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com
structuralObjectClass: inetOrgPerson
entryUUID: e15065de-f814-102c-85ad-6b504a287112
creatorsName: cn=manager,dc=pjm,dc=com
createTimestamp: 20080806150541Z
entryCSN: 20080813115547Z#000000#00#000000
modifiersName: cn=stoat,dc=pjm,dc=com
modifyTimestamp: 20080813115547Z
entryDN:
uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
-----Original Message-----
From: Andrew Findlay
[mailto:[EMAIL PROTECTED]
Sent: Thursday, August 14, 2008 2:46 PM
To: DiSciascio, Paul
Cc: openldap-software@openldap.org
Subject: [Probable SPAM] Re: ppolicy password lockout
On Thu, Aug 14, 2008 at 07:58:44AM -0400, [EMAIL PROTECTED]
wrote:
> I don't see any pwdFailureTime attributes ever show
up for the user
> in question, and the password never locks after bad
password attempts.
When reading the user entry are you requesting the
operational
attributes? You need to do that to see things like
failure times. Add
'+' to the end of the ldapsearch command and see what
you get.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd
|
| Consultant in large-scale systems, networks, and
directory services |
| http://www.skills-1st.co.uk/ +44
1628 782565 |
-----------------------------------------------------------------------
--
Adam Leach
BS Computer/Electrical Engineering
West Virginia University
System Administrator - Raytheon
(304)677-4455
