Univention Bugzilla – Bug 52902
Password lockout in Samba/AD doesn't trigger ppolicy lockout for OpenLDAP simple bind
Last modified: 2021-05-07 10:37:38 CEST
Password lockout in Samba/AD doesn't trigger ppolicy lockout for OpenLDAP simple bind. See result of Test 1 in Bug #52893 Comment 2 for details. The S4-Connector password.py could attempt to set pwdAccountLockedTime in OpenLDAP. This will only succeed if the ppolicy overlay is loaded in OpenLDAP. Also it may require using the "relax" LDAP control because it is an operational attribute. I think fixing this would improve consistency and security of UCS with respect to the password lockout feature.
A different approach would be to make ppolicy check the sambaAcctFlags attribute for "L". I think that would be more efficient than calling into python-udm on each LDAP bind.