> On 06/01/2012 21:29, Chris Jacobs wrote:
> > Your example shows only 2 pwdFailureTime entries and your policy indicates
> > "pwdMaxFailure: 3".
> >
>
> Hi Chris,
>
> No matter how many failed attempts I make, it never appears as locked:
>
> I now have:
> pwdFailureTime: 20120106193928Z
> pwdFailureTime: 20120106194040Z
> pwdFailureTime: 20120107112658Z
> pwdFailureTime: 20120107112705Z
>
> and still no pwdAccountLockedTime.
>
> Is anybody observing the same behavior ?
>
Your initial mail does not show a 'ppolicy_default' in slapd.conf. I
believe you need to create a default ppolicy entry in LDAP, and specify
it in slapd.conf:
# Password Policy
overlay ppolicy
ppolicy_default "cn=default,ou=ppolicy,dc=local"
Without the default, or if you want a user to use something other than
default, you'll need to manually set the pwdPolicySubentry for the
user. In you case:
dn: uid=lcaron_99,ou=People,dc=local
changetype: modify
replace: pwdPolicySubentry
pwdPolicySubentry: cn=lcaron_99,ou=ppolicy,dc=local
~/joe
