[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: A question about pwdMinAge

Ryan Steele wrote:
Howard Chu wrote:
Chris G. Sellers wrote:
pwdMinAge is part of the password policy, not part of the user's record.

The scheme defines pwdMinAge as being part of the objectClass
pwdPolicy, so unless you have that in your users record, it will not
be there.

I believe you assume correct that it uses math to determine when the
password was last changed, and when the current time is.  If that does
not exceed the value of the password policy entry for pwdMinAge, then
the change will fail.

You could change the user's passwordPolicy to be Zero Day password
change,but you would have to change it back.
RTFM already. slapo-ppolicy(5), pwdReset.

I set pwdReset to TRUE after setting a reasonable pwdMinAge, and reset
the user's password with ldappasswd, binding as the rootdn to make the

Set pwdReset to TRUE *after* using ldappasswd. Normally any pwdModify operation will remove the pwdReset attribute.

Then, I adjusted the sambaPwdCanChange and sambaPwdLastSet
values to something earlier than the current time.  Alas, I still get
"Password is too young to change" from LDAP.  My only recourse at this
point is to only enforce the 'min password age' in Samba via pdbedit,
but I'd really like to enforce this in LDAP as well as an extra
precaution against shell users circumventing the policies laid forth in
Samba.  Any and all advice and/or clue-stick beatings welcome.

I look forward to the day when the interaction between the two is more
seamless/native, which hopefully is in the not-too-distant future; I've
been made aware of a new RFC proposal to make Samba play nice with

Yes, one can hope... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/