just to think outside of what you have already mentioned:
client nscd service running?
User authconfig to show if you have caching and local authorization
settings:
authconfig-tui
change things on a test client and then tail the
/var/log/slapd/<servername>/access (and other) logs while grepping for
the user:
tail -f /var/log/slapd/dirsrv1.blah.blah/access | grep bobby
or even
tail -f /var/log/slapd/dirsrv1.blah.blah/* | grep bobby
On Wed, Dec 11, 2013 at 1:35 PM, JLPicard <jlpicar...@hotmail.com
<mailto:jlpicar...@hotmail.com>> wrote:
Yes,
It shows up in the "dse.ldif" file:
root@my-ldapHost01% grep nsslapd-pwpolicy-local dse.ldif
nsslapd-pwpolicy-local: on
It also shows up on ldapsearch:
root@my-ldapHost01% ldapsearch -x -ZZ -LLL -W -h
"my-ldapHost01.my-domain.com <http://my-ldapHost01.my-domain.com>"
-b "dc=my-domain,dc=com" -D 'cn=directory manager' -b 'cn=config'
-s base 'objectClass=*' 'nsslapd-pwpolicy-local'
Enter LDAP Password:
dn: cn=config
nsslapd-pwpolicy-local: on
On 11/26/2013 9:00 AM, Ludwig Krispenz wrote:
Hi,
did you set:
nsslapd-pwpolicy-local: on
in cn=config ?
Ludwig
On 11/26/2013 02:13 PM, JLPicard wrote:
Yes, I can, after 8 consecutive failed authentications,
the account can still successfully query the DS with the
correct password.
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
<http://my-ldapHost01.my-domain.com>" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
badPword "cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
<http://my-ldapHost01.my-domain.com>" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
badPword "cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
<http://my-ldapHost01.my-domain.com>" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
badPword "cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
<http://my-ldapHost01.my-domain.com>" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
badPword "cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
<http://my-ldapHost01.my-domain.com>" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
badPword "cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
<http://my-ldapHost01.my-domain.com>" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
badPword "cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
<http://my-ldapHost01.my-domain.com>" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
badPword "cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
<http://my-ldapHost01.my-domain.com>" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
badPword "cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
<http://my-ldapHost01.my-domain.com>" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
goodPwrd "cn=test-user-account"
dn: uid=test-user-account,ou=people,dc=my-domain,dc=com
description: accountHasItsOwnPwdPolicy
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
uid: test-user-account
cn: test-user-account
uidNumber: 2853
gidNumber: 2600
gecos: LDAP Test
homeDirectory: /home/test-user-account
loginShell: /bin/tcsh
On 11/25/2013 5:49 PM,
389-users-requ...@lists.fedoraproject.org
<mailto:389-users-requ...@lists.fedoraproject.org> wrote:
From: Rich Megginson <rmegg...@redhat.com
<mailto:rmegg...@redhat.com>> To: "General discussion
list for the 389 Directory server project."
<389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>> Cc:
JLPicard <jlpicar...@hotmail.com
<mailto:jlpicar...@hotmail.com>> Subject: Re:
[389-users] Password Failure Lockout doesn't seem to
work Message-ID: <5293d3fc.2090...@redhat.com
<mailto:5293d3fc.2090...@redhat.com>> Content-Type:
text/plain; charset="utf-8"; Format="flowed" On
11/25/2013 03:33 PM, JLPicard wrote:
>Hi, I am testing out 389_ds_base, version
=1.2.11.15,REV=2013.01.31
>running on mixed Solaris 10 servers (SPARC and
X86) sourced from
>http://www.opencsw.org/packages/CSW389-ds-base
>in multi-master mode with 4 servers that is
primarily used for
>authentication and user/group/netgroup management.
>
>Most of the Password policy components seem to
work as they should,
>but password failure account lockout doesn't
appear to engage after
>X-failed attempts. After creating a new account,
testing a successful
>login, after 5+ failed logins with bad passwords,
I can still login
>after I would expect to be locked out. I even
created a new password
>policy and applied it to this user and it still
doesn't lock him out
>after 5+ failed logins with bad passwords.
Can you reproduce the issue with ldapsearch?
ldapsearch ... -D "uid=myuser,...." -w "badpassword" ...
repeat 5 times
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
