[Date Prev][Date Next]
Re: Odd password reset issue
In ES3 bundled openldap - password policy controls are limited to
shadow attributes. You don't mention them, but I assume you are using
shadow attributes to control when passwords expire. This is a somewhat
outdated way of managing password policy. While it's been far from
painless we have ppolicy implemented and mostly working in our shop.
Overall it's worth the investment as it opens up much more
Upgrades aside, what you're trying to do should work. There's a few
things you can check. First - be aware of what the shadow attributes
are set to. This is relevant in troubleshooting. You should look at
the shadowLastChange field to see if that is getting updated when a
user runs passwd from a client. If this isn't happening try checking
whether you have "pam_passwd exop" enabled in your client's /etc/
ldap.conf. I might be wrong here, but I think this might be needed in
order to get shadowLastChange updating.
On Jun 21, 2008, at 4:47 AM, Kevin Brammer wrote:
Running the OpenLDAP server bundled with RH ES3. I had OpenLDAP
running successfully. I could authenticate, pull information from the
directory - everything seemed great! After the 90 day password rule I
had put in place, I got the "your password has expired" message. I
tried to change it, said it was successful. A subsequent login
received the same message. Again I changed it, and it said successful.
Now, I can't even login.
I changed my user's password as root using ldappasswd, and a check of
the entry shows the hash changing accordingly. However, I still can't
login as the user.