0

I configured Openldap2.4 on RHEL6.5.

i applied default password policy on my ldap tree.

But, Account lock has been effectively applying only when i do su - username with wrong password .

But when i tried to check with login with putty session or direct ssh it is not applying.

Can any one please help me on the above issue ?.

when i tried using sudo su - testuser2.4

pwdFailureTime: 20150427095439Z pwdFailureTime: 20150427095445Z pwdFailureTime: 20150427095451Z pwdAccountLockedTime: 20150427095451Z

But when i tried direct ssh or putty session with 3 failures still the policy not applied.

Shashikanth Bussa
  • 1
  • 3

1 Answers1

0

You have to avoid using the managerDN user. That's for use by OpenLDAP itself, and it bypasses all overlays, specifically this one. The overlay will work if you're logging in as a user within the DIT.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • I have the following configuration on slapd.conf. #This enables the ppolicy overlday for our password policies and will be applicale to all users. overlay ppolicy #The object which contains all the password policies refer the ppolicy.ldif file for the policies. ppolicy_default "cn=default,ou=Policies,dc=company,dc=com" #This would not return account locked in case the account is locked, for securty puppose. ppolicy_use_lockout can you suggest me what needs to be done from the above or how would i can disable managerDN – Shashikanth Bussa Apr 27 '15 at 11:18
  • I didn't say anythig abotu disabling the managerDN. I said *not to use it* yourself, or by your applications. It isn't subject to the password policy. All other accounts are. – user207421 Apr 27 '15 at 13:22
  • Hi, Thanks for your answer.But can you elaborate bit clear as am beginner to openldap – Shashikanth Bussa Apr 27 '15 at 17:24
  • What part of 'don't use it yourself' don't you understand? – user207421 Apr 27 '15 at 23:01
  • I Changed the DIT as per your instructions on slapd.conf file . But still pwdFailureTime and PwdAccountLockTime is not working. Expect the 2 attributes all of them working fine. Can you please suggest on the above configurations . – Shashikanth Bussa May 04 '15 at 08:04
  • Hi!! Sorry for making some one to be trouble. But, i made more configuration changes to resolve the above issue. Now when ever i tried to use ldapwhoami command with credentials to lock. It is working fine on the ldap server. But not on the ssh session or putty session. Please suggest me on where iam going wrong or any one faced the same issue. – Shashikanth Bussa May 04 '15 at 17:39
  • one more addition to my trail .i commented ppolicy_default "cn=default,ou=Policies,dc=company,dc=com" on slapd.conf. But it is reflecting the pwdFailureTime stamp. But on locking the user accounts after the few wrong attempts... – Shashikanth Bussa May 06 '15 at 07:36