We're running directory server 7 in our area and it's all set up and
working. We're using the smbldap-tools in conjunction to have the
directory server allow domain logins.
The main issue is that we want to enforce account lockouts after 5
failed attempts. When using the built-in password policy in the
directory server to do this, and a user locks their account, they can no
longer log into any of the linux systems (what we want). However, with
windows, a user can still log in with their current password, if they
type a bad password, they get an error saying there's a problem with
their account....so the locking doesn't work.
My theory is just that the LDAP server is preventing windows from seeing
some of the attributes once the account is locked...probably preventing
info from being written to the samba bad password count.
Do you know if there's a way to modify the LDAP server configuration
such that when an account is locked out, to modify OTHER attributes than
the defaults? So, if the directory server enables the lockout, it
modifies not only the pwdaccountlockedtime field, but also, say,