----- "Cyril Grosjean" <[email protected]> wrote: > Hello, > > I use the ppolicy overlay and it works fine for all the features I've > tested but one: > > I've added the ppolicy_use_lockout parameter in my slapd.conf, but I > still get the err=49 > invalid credentials error message after 5 unsuccessfull > authentification > attempts (a few > seconds elapse between each attempt) > > I operate slapd 2.4.13 over OpenSuse 10.2 > > I can for example expire passwords, reset them or use the password > history feature, > but I can't figure out how to get an "account locked" message instead > of > "invalid credentials" > when a user fails to log in more than 5 times.
Well, you probably actually want them to get a message telling them that their password has expired, *before* they get locked out (otherwise you need admin intervention anyway). > > I've tested with different ldapsearch versions as well as with Apache > LDAP Studio which seems > to use at least some LDAP controls, so I don't think it's a client > side > problem. Are you using the '-e ppolicy' option to ldapwhoami or similar ? Password policy requires the client to ask for, and interpret the password policy controls. So, most likely it *is* a client side problem. [...] > Any clue ? Test with ldapwhoami, with the '-e ppolicy' options. If they work correctly, then this is not an OpenLDAP issue, and you should ask about pam_ldap password policy support on another list (e.g. OpenLDAP-technical) which allows pam_ldap questions. Regards, Buchan
