Re: nsAccountLock - Server is unwilling to perform

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 21/10/15 15:54, Rich Megginson wrote:

On 10/21/2015 01:00 AM, Mitja Mihelič wrote:


On 20/10/15 15:57, Mark Reynolds wrote:



On 10/20/2015 09:37 AM, Mitja Mihelič wrote:

Hi!
We are using using nsAccountLock=true to lock user accounts. We also have dovecot authenticating users against the 389DS. 
If we set nsAccountLock=true, then we get
Oct 20 14:39:30 SERVER dovecot: auth: Error: ldap(USERNAME,193.X.Y.Z,<aaaaaaaaaaaaaaaa>): ldap_bind() failed: Server is unwilling to perform Oct 20 14:39:31 SERVER dovecot: auth: ldap(USERNAME,193.X.Y.Z,<aaaaaaaaaaaaaaaa>): Falling back to expired data from cache Dovecot thinks the server is not working properly so it reads login info from its cache and authentication succeeds. 

Can I set 389DS to return a different response?
Something that says: "User is locked" or "Authentication failed"...
The server is returning an LDAP Error 53 (unwilling to perform) with a message that states its locked ("Account inactivated. Contact system administrator."), but dovecot is not returning this text to its client - its only returning the error code(with the ldap description of that error code). 
Thank you for the explanations.
Looking at the LDAP error codes, would it not be more accurate if it returned 49/533 ACCOUNT_DISABLED ? 

Yes, if 389 were AD.

What error code would make Dovecot think that the account is disabled?
Unfortunately I cannot provide an answer to this question. To date there was no reply on the dovecot list to our query.
I was going by http://wiki.servicenow.com/index.php?title=LDAP_Error_Codes#gsc.tab=0 

These have some AD specific codes.
I see. I was under the impression the listed codes were protocol specific, not implementation specific. Thank you. 



Kind regards, Mitja


Mark


Kind regards, Mitja



--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux