[Date Prev][Date Next]
Re: A question about pwdMinAge
Tony Earnshaw wrote:
> My site uses ppolicy with great success.
> Ryan Steele skrev, on 08-04-2008 23:35:
>> I wanted to test the scenario where a user had forgotten his password,
>> and needed to have it reset. I wanted to give this user the ability
>> change this temporary password if they wanted. To do this, I:
>> 1. Executed ldappasswd, binding as the rootdn, to change the user's
>> 2. Used ldapvi to reset the sambaPwdCanChange and sambaPwdLastSet
> Fie. That's part of what 'overlay smbk5pwd' is for. Does it
I'm using smbk5pwd, but I think you're missing the point here. Users
can change their passwords just fine thanks to the overlay, but not if I
reset the password, because then the sambaPwdCanChange, sambaPwdLastSet,
and pwdChangedTime (or pwdMinAge) gets updated. The first two I can fix
easily, the third is where I run in to trouble.
>> 3. Logged in to the domain as the user
>> 4. Hit Ctrl+Alt+Delete and selected "Change Password"
>> However, because my ppolicy pwdMinAge hadn't expired yet, the user was
>> unable to change the password. So, it seems necessary to be able to
>> change that value for the user so he/she can change their password. I
>> couldn't find an attribute called pwdMinAge, but I'm assuming that's
>> because it just looks at pwdChangedTime.
> The pwdMinAge attribute exists. Perhaps a GUI such as gq could help here.
I shouldn't need a GUI to administer the directory, but nevertheless I
installed phpldapadmin, and it doesn't see a pwdMinAge attribute in the
user's entry. Neither slapcat nor ldapvi can find this attribute on the
>> I 'assume' because I couldn't
>> find explicit documentation stating this, though the man page definition
>> for pwdChangedTime says "[pwdChangedTime] is used by the password
>> expiration policy to determine whether the password is too old to be
>> allowed to be used for user authentication." Is this why I see a
>> NT_STATUS_WRONG_PASSWORD returned from LDAP when a user tries to change
>> a password that is being protected by pwdMinAge?
> No, pwdMinAge has nothing to do with Samba, Samba doesn't use it - see
> pdbedit -P.
It _does_ affect being able to change your password when logged into a
Samba controlled domain. Adding a pwdMinAge attribute to my password
policy prevents the user from being able to change his/her password
after it's been reset by an administrator. I'm familiar with pdbedit,
but I fail to see how that will help me solve this problem. I'm happy
to be convinced otherwise, though.
>> And, is executing an ldapmodify the proper thing to do in this situation
>> to change the pwdChangedTime and allow the user to change his/her
>> password? E.g.:
>> ldapmodify -D "cn=admin,dc=example,dc=com" -W
>> dn: uid=someuser,ou=Users,dc=example,dc=com
>> changetype: modify
>> replace: pwdChangedTime
>> pwdChangedTime: 1207690188Z
> pwdChangedTime is an operational attribute and cannot be changed by
> *any* user, it is the directory that has to change it.
Well then, how does one accomplish what I'm trying to do? If a user
forgets his/her password, and an admin resets it, I want the user to be
able to change it to something they're comfortable with (which adheres
to the restrictions), but short of removing the pwdMinAge attribute from
my password policy, I can't seem to figure out how that is possible.
Thanks as always,