Sorry, I did not know that option and had never used it. Now I confirm it works fine with ldapsearch.
I have also successfully tested it with ldapwhoami. The "-e" option works fine as well with the ldapwhoami command from Suse 10.2 , but it didn't appear in my man pages, I can just see it with the "-h" option . Thank you for your support . Buchan Milne wrote: > ----- "Cyril Grosjean" <[email protected]> wrote: > > >> Buchan Milne wrote: >> >>> ----- "Cyril Grosjean" <[email protected]> wrote: >>> >>> >>> >>>> Hello, >>>> >>>> I use the ppolicy overlay and it works fine for all the features >>>> >> I've >> >>>> tested but one: >>>> >>>> I've added the ppolicy_use_lockout parameter in my slapd.conf, but >>>> >> I >> >>>> still get the err=49 >>>> invalid credentials error message after 5 unsuccessfull >>>> authentification >>>> attempts (a few >>>> seconds elapse between each attempt) >>>> >>>> I operate slapd 2.4.13 over OpenSuse 10.2 >>>> >>>> I can for example expire passwords, reset them or use the password >>>> history feature, >>>> but I can't figure out how to get an "account locked" message >>>> >> instead >> >>>> of >>>> "invalid credentials" >>>> when a user fails to log in more than 5 times. >>>> >>>> >>> Well, you probably actually want them to get a message telling them >>> >> that their password has expired, *before* they get locked out >> (otherwise you need admin intervention anyway). >> >>> >>> >>>> I've tested with different ldapsearch versions as well as with >>>> >> Apache >> >>>> LDAP Studio which seems >>>> to use at least some LDAP controls, so I don't think it's a client >>>> side >>>> problem. >>>> >>>> >>> Are you using the '-e ppolicy' option to ldapwhoami or similar ? >>> >> Password policy requires the client to ask for, and interpret the >> password policy controls. So, most likely it *is* a client side >> problem. >> >>> [...] >>> >>> >>> >>>> Any clue ? >>>> >>>> >>> Test with ldapwhoami, with the '-e ppolicy' options. If they work >>> >> correctly, then this is not an OpenLDAP issue, and you should ask >> about pam_ldap password policy support on another list (e.g. >> OpenLDAP-technical) which allows pam_ldap questions. >> >>> Regards, >>> Buchan >>> >> Thank you for all your answers. I understand it's a client problem >> now. >> I haven't tested yet with ldapwhoami, but I will soon. I've only >> tested >> with different versions (Solaris and Linux) of ldapsearch, >> as well as with Apache Directory Studio and didn't find any option >> here >> to deal with the password policy cotnrols . >> > > -e ppolicy should work with ldapsearch as well: > > $ ldapsearch --help 2>&1|grep -C8 ppolicy > -e [!]<ext>[=<extparam>] general extensions (! indicates criticality) > [!]assert=<filter> (a RFC 4515 Filter string) > [!]authzid=<authzid> ("dn:<dn>" or "u:<user>") > [!]chaining[=<resolveBehavior>[/<continuationBehavior>]] > one of "chainingPreferred", "chainingRequired", > "referralsPreferred", "referralsRequired" > [!]manageDSAit > [!]noop > ppolicy > [!]postread[=<attrs>] (a comma-separated attribute list) > [!]preread[=<attrs>] (a comma-separated attribute list) > [!]relax > abandon, cancel, ignore (SIGINT sends abandon/cancel, > or ignores response; if critical, doesn't wait for SIGINT. > not really controls) > -f file read operations from `file' > -h host LDAP server > > > Regards, > Buchan > >
