Re: Odd password reset issue

[Anthony Porcano <anthony.porcano@247realmedia.com>]

In ES3 bundled openldap - password policy controls are limited to  
shadow attributes. You don't mention them, but I assume you are using  
shadow attributes to control when passwords expire. This is a somewhat  
outdated way of managing password policy. While it's been far from  
painless we have ppolicy implemented and mostly working in our shop.  
Overall it's worth the investment as it opens up much more  
functionality.

Upgrades aside, what you're trying to do should work. There's a few  
things you can check. First - be aware of what the shadow attributes  
are set to. This is relevant in troubleshooting. You should look at  
the shadowLastChange field to see if that is getting updated when a  
user runs passwd from a client. If this isn't happening try checking  
whether you have "pam_passwd exop" enabled in your client's /etc/ 
ldap.conf. I might be wrong here, but I think this might be needed in  
order to get shadowLastChange updating.

 --AP


On Jun 21, 2008, at 4:47 AM, Kevin Brammer wrote:

> Running the OpenLDAP server bundled with RH ES3.  I had OpenLDAP
> running successfully.  I could authenticate, pull information from the
> directory - everything seemed great!  After the 90 day password rule I
> had put in place, I got the "your password has expired" message.  I
> tried to change it, said it was successful.  A subsequent login
> received the same message. Again I changed it, and it said successful.
> Now, I can't even login.
>
> I changed my user's password as root using ldappasswd, and a check of
> the entry shows the hash changing accordingly.  However, I still can't
> login as the user.
>
> Any ideas?