Hello.
I'm having a problem regarding locked users in ldap. We are using 389DS ldap server. We lock our users with nsAccountLock=true. If user successfully logs into dovecot, his credentials gets cached. When this user is locked its credentials still stay in cache. The problem I'm having is that our ldap server returns error code 53 ("Unwilling to perform - Account inactivated"). Dovecot takes this error code and decides that ldap doesnt work so it takes users credentials from cache (like stated in docs). User can still login untill his credentials are cleared from cache.
Error message in logs: ldap(USERNAME,193.X.Y.Z,<aaaaaaaaaaaaaaaa>): ldap_bind() failed: Server is unwilling to perform Oct 20 14:39:31 SERVER dovecot: auth: ldap(USERNAME,193.X.Y.Z,<aaaaaaaaaaaaaaaa>): Falling back to expired data from cache
Does dovecot reacts to error code 53 as it should? Maybe our ldap server should return different error code - like 49/533 (Account_disabled)? How would dovecot react to error code 49?
Currenty we solve this problem by taking list of locked users and clear cache every minute.
thank you and best regards, Klemen Andreuzzi Arnes