You might be interested in trying slapo-ppolicy (Password Policy overlay), as suggested here. That's indeed a sort of standard, though it might be a bit overkill for what you're trying to do. Specifically, the interesting attribute is
pwdAccountLockedTime
This attribute contains the time that the user's account was locked.
If the account has been locked, the password may no longer be used to
authenticate the user to the directory. If pwdAccountLockedTime is set
to 000001010000Z, the user's account has been permanently locked and
may only be unlocked by an administrator.
I suggest you enable the LDAP log and take a look at this. On Red Hat based distros, you can do it by following steps:
Set a syslog facility:
cat /etc/sysconfig/ldap
SLAPD_OPTIONS="-l local4"
Specify a log file for OpenLDAP in /etc/syslog.conf:
# OpenLDAP log
local4.* /var/log/ldap.log
touch /var/log/ldap.log and restart syslogd
On other distros, at the step one, simply add the -l local4 into the start() function in your init script.
EDIT
Set loglevel to 128 (ACL processing) and try again.
EDIT 2
cannot assess the validity of the ACL scope within backend naming
context
Put the ACLs before the backend context:
access to attrs=userPassword
by self write
by users read
by * none
access to *
by self write
by users read
by * none
database bdb
suffix "dc=monzell,dc=com"
checkpoint 1024 15
rootdn "cn=root,dc=monzell,dc=com"
rootpw <REDACTED
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
database monitor
Best Answer
You can use the parameter
in your config to define the type of hashing (ex {SSHA}).