Locked ldap account , mind-blowing behaviour
807573Jun 27 2006 — edited Jun 28 2006Hello everyone,
I've configured nsswitch.conf, pam.conf and ldapclient in a Solaris 9 machine to query our ds5.2 for the passwd database. Configs are:
1.- nsswitch.conf
(..)
passwd: files ldap
group: files ldap
(..)
2.- pam.conf
(..)
login auth required pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth required pam_ldap.so.1 try_first_pass
(...)
3.- ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=eprinsa,dc=es
NS_LDAP_BINDPASSWD= {NS1}<blahblahblah>
NS_LDAP_SERVERS= 10.2.1.111
NS_LDAP_SEARCH_BASEDN= dc=eprinsa,dc=es
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=epr,dc=eprinsa,dc=es?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=epr,dc=eprinsa,dc=es?sub
NS_LDAP_BIND_TIME= 10
Everything works fine.. apparently. I can log to my Sun box with the ldap accounts under ou=epr,dc=eprinsa,dc=es . If I fail to enter the password once for any user then the LDAP password is prompted as a second chance. Failure to enter the correct password now will result in a "login incorrect message" and "libsldap: status: 49 Mesg:simple bind failed - invalid credentials" in /var/adm/messages. So far , so good.
However, if the ldap account is locked, then no matter which password I enter, the user is always allowed to log in. That is, no matter what I type for the password, the locked user will log in. Can anybody explain what I'm doing wrong?
Thanks!