[Date Prev][Date Next]
Re: A question about pwdMinAge
Ryan Steele wrote:
Howard Chu wrote:
Chris G. Sellers wrote:
pwdMinAge is part of the password policy, not part of the user's record.
The scheme defines pwdMinAge as being part of the objectClass
pwdPolicy, so unless you have that in your users record, it will not
I believe you assume correct that it uses math to determine when the
password was last changed, and when the current time is. If that does
not exceed the value of the password policy entry for pwdMinAge, then
the change will fail.
You could change the user's passwordPolicy to be Zero Day password
change,but you would have to change it back.
RTFM already. slapo-ppolicy(5), pwdReset.
I set pwdReset to TRUE after setting a reasonable pwdMinAge, and reset
the user's password with ldappasswd, binding as the rootdn to make the
Set pwdReset to TRUE *after* using ldappasswd. Normally any pwdModify
operation will remove the pwdReset attribute.
Then, I adjusted the sambaPwdCanChange and sambaPwdLastSet
values to something earlier than the current time. Alas, I still get
"Password is too young to change" from LDAP. My only recourse at this
point is to only enforce the 'min password age' in Samba via pdbedit,
but I'd really like to enforce this in LDAP as well as an extra
precaution against shell users circumventing the policies laid forth in
Samba. Any and all advice and/or clue-stick beatings welcome.
I look forward to the day when the interaction between the two is more
seamless/native, which hopefully is in the not-too-distant future; I've
been made aware of a new RFC proposal to make Samba play nice with
Yes, one can hope...
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/