Tony Earnshaw wrote:
My site uses ppolicy with great success.
Ryan Steele skrev, on 08-04-2008 23:35:
I wanted to test the scenario where a user had forgotten his
password,
and needed to have it reset. I wanted to give this user the ability
change this temporary password if they wanted. To do this, I:
1. Executed ldappasswd, binding as the rootdn, to change the user's
password
2. Used ldapvi to reset the sambaPwdCanChange and sambaPwdLastSet
attributes
Fie. That's part of what 'overlay smbk5pwd' is for. Does it
automatically.
I'm using smbk5pwd, but I think you're missing the point here. Users
can change their passwords just fine thanks to the overlay, but not
if I
reset the password, because then the sambaPwdCanChange,
sambaPwdLastSet,
and pwdChangedTime (or pwdMinAge) gets updated. The first two I can
fix
easily, the third is where I run in to trouble.
3. Logged in to the domain as the user
4. Hit Ctrl+Alt+Delete and selected "Change Password"
However, because my ppolicy pwdMinAge hadn't expired yet, the user
was
unable to change the password. So, it seems necessary to be able to
change that value for the user so he/she can change their
password. I
couldn't find an attribute called pwdMinAge, but I'm assuming that's
because it just looks at pwdChangedTime.
The pwdMinAge attribute exists. Perhaps a GUI such as gq could help
here.
I shouldn't need a GUI to administer the directory, but nevertheless I
installed phpldapadmin, and it doesn't see a pwdMinAge attribute in
the
user's entry. Neither slapcat nor ldapvi can find this attribute on
the
user either.
I 'assume' because I couldn't
find explicit documentation stating this, though the man page
definition
for pwdChangedTime says "[pwdChangedTime] is used by the password
expiration policy to determine whether the password is too old to be
allowed to be used for user authentication." Is this why I see a
NT_STATUS_WRONG_PASSWORD returned from LDAP when a user tries to
change
a password that is being protected by pwdMinAge?
No, pwdMinAge has nothing to do with Samba, Samba doesn't use it -
see
pdbedit -P.
It _does_ affect being able to change your password when logged into a
Samba controlled domain. Adding a pwdMinAge attribute to my password
policy prevents the user from being able to change his/her password
after it's been reset by an administrator. I'm familiar with pdbedit,
but I fail to see how that will help me solve this problem. I'm happy
to be convinced otherwise, though.
And, is executing an ldapmodify the proper thing to do in this
situation
to change the pwdChangedTime and allow the user to change his/her
password? E.g.:
ldapmodify -D "cn=admin,dc=example,dc=com" -W
dn: uid=someuser,ou=Users,dc=example,dc=com
changetype: modify
replace: pwdChangedTime
pwdChangedTime: 1207690188Z
pwdChangedTime is an operational attribute and cannot be changed by
*any* user, it is the directory that has to change it.
Well then, how does one accomplish what I'm trying to do? If a user
forgets his/her password, and an admin resets it, I want the user to
be
able to change it to something they're comfortable with (which adheres
to the restrictions), but short of removing the pwdMinAge attribute
from
my password policy, I can't seem to figure out how that is possible.
Thanks as always,
Ryan