Clowser, Jeff wrote:
I can for example expire passwords, reset them or use the password
history feature,
but I can't figure out how to get an "account locked" message instead
of
"invalid credentials"
when a user fails to log in more than 5 times.
That's by intention (or should be). You never want to differentiate to
the
client the difference between the bind failing because of invalid
credentials
and failing because the account is locked, for security reasons.
Yes. The slapo-ppolicy(5) manpage already discusses this.
The manpage also discusses the AccountLocked error code - it is returned in
the PasswordPolicy response control, not in the LDAP Result code. As the
manpage clearly states, "A client will always receive an LDAP
InvalidCredentials response ..."
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
