[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: A question about pwdMinAge



Tony Earnshaw wrote:
> My site uses ppolicy with great success.
>
> Ryan Steele skrev, on 08-04-2008 23:35:
>
>> I wanted to test the scenario where a user had forgotten his password,
>> and needed to have it reset.  I wanted to give this user the ability
>> change this temporary password if they wanted.   To do this, I:
>>
>> 1. Executed ldappasswd, binding as the rootdn, to change the user's
>> password
>> 2. Used ldapvi to reset the sambaPwdCanChange and sambaPwdLastSet
>> attributes
>
> Fie. That's part of what 'overlay smbk5pwd' is for. Does it
> automatically.

I'm using smbk5pwd, but I think you're missing the point here.  Users
can change their passwords just fine thanks to the overlay, but not if I
reset the password, because then the sambaPwdCanChange, sambaPwdLastSet,
and pwdChangedTime (or pwdMinAge) gets updated.  The first two I can fix
easily, the third is where I run in to trouble.

>
>> 3. Logged in to the domain as the user
>> 4. Hit Ctrl+Alt+Delete and selected "Change Password"
>>
>> However, because my ppolicy pwdMinAge hadn't expired yet, the user was
>> unable to change the password.  So, it seems necessary to be able to
>> change that value for the user so he/she can change their password.  I
>> couldn't find an attribute called pwdMinAge, but I'm assuming that's
>> because it just looks at pwdChangedTime.
>
> The pwdMinAge attribute exists. Perhaps a GUI such as gq could help here.

I shouldn't need a GUI to administer the directory, but nevertheless I
installed phpldapadmin, and it doesn't see a pwdMinAge attribute in the
user's entry.  Neither slapcat nor ldapvi can find this attribute on the
user either.

>
>> I 'assume' because I couldn't
>> find explicit documentation stating this, though the man page definition
>> for pwdChangedTime says "[pwdChangedTime] is used by the password
>> expiration policy to determine whether the password is too old to be
>> allowed to be used for user authentication."  Is this why I see a
>> NT_STATUS_WRONG_PASSWORD returned from LDAP when a user tries to change
>> a password that is being protected by pwdMinAge?
>
> No, pwdMinAge has nothing to do with Samba, Samba doesn't use it - see
> pdbedit -P.

It _does_ affect being able to change your password when logged into a
Samba controlled domain.  Adding a pwdMinAge attribute to my password
policy prevents the user from being able to change his/her password
after it's been reset by an administrator.  I'm familiar with pdbedit,
but I fail to see how that will help me solve this problem.  I'm happy
to be convinced otherwise, though.
>
>> And, is executing an ldapmodify the proper thing to do in this situation
>> to change the pwdChangedTime and allow the user to change his/her
>> password?  E.g.:
>>
>> ldapmodify -D "cn=admin,dc=example,dc=com" -W
>> dn: uid=someuser,ou=Users,dc=example,dc=com
>> changetype: modify
>> replace: pwdChangedTime
>> pwdChangedTime: 1207690188Z
>
> pwdChangedTime is an operational attribute and cannot be changed by
> *any* user, it is the directory that has to change it.
>

Well then, how does one accomplish what I'm trying to do?  If a user
forgets his/her password, and an admin resets it, I want the user to be
able to change it to something they're comfortable with (which adheres
to the restrictions), but short of removing the pwdMinAge attribute from
my password policy, I can't seem to figure out how that is possible.

Thanks as always,
Ryan