0 Replies Latest reply: Jan 10, 2011 6:36 AM by 829894 RSS

    LDAP account locking with Windows (smbldap)

    829894
      We're running directory server 7 in our area and it's all set up and
      working. We're using the smbldap-tools in conjunction to have the
      directory server allow domain logins.

      The main issue is that we want to enforce account lockouts after 5
      failed attempts. When using the built-in password policy in the
      directory server to do this, and a user locks their account, they can no
      longer log into any of the linux systems (what we want). However, with
      windows, a user can still log in with their current password, if they
      type a bad password, they get an error saying there's a problem with
      their account....so the locking doesn't work.

      My theory is just that the LDAP server is preventing windows from seeing
      some of the attributes once the account is locked...probably preventing
      info from being written to the samba bad password count.

      Do you know if there's a way to modify the LDAP server configuration
      such that when an account is locked out, to modify OTHER attributes than
      the defaults? So, if the directory server enables the lockout, it
      modifies not only the pwdaccountlockedtime field, but also, say,
      sambaAccountFlags?

      Thanks for any tips.