On 20/10/15 15:57, Mark Reynolds wrote:
On 10/20/2015 09:37 AM, Mitja Mihelič wrote:
Hi!
We are using using nsAccountLock=true to lock user accounts. We also
have dovecot authenticating users against the 389DS.
If we set nsAccountLock=true, then we get
Oct 20 14:39:30 SERVER dovecot: auth: Error:
ldap(USERNAME,193.X.Y.Z,<aaaaaaaaaaaaaaaa>): ldap_bind() failed:
Server is unwilling to perform
Oct 20 14:39:31 SERVER dovecot: auth:
ldap(USERNAME,193.X.Y.Z,<aaaaaaaaaaaaaaaa>): Falling back to expired
data from cache
Dovecot thinks the server is not working properly so it reads login
info from its cache and authentication succeeds.
Can I set 389DS to return a different response?
Something that says: "User is locked" or "Authentication failed"...
The server is returning an LDAP Error 53 (unwilling to perform) with a
message that states its locked ("Account inactivated. Contact system
administrator."), but dovecot is not returning this text to its client
- its only returning the error code(with the ldap description of that
error code).
Thank you for the explanations.
Looking at the LDAP error codes, would it not be more accurate if it
returned 49/533 ACCOUNT_DISABLED ?
I was going by
http://wiki.servicenow.com/index.php?title=LDAP_Error_Codes#gsc.tab=0
Kind regards, Mitja
Mark
Kind regards, Mitja
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
