On Saturday 21 June 2008 12:49:52 pm Anthony Porcano wrote: > In ES3 bundled openldap - password policy controls are limited to > shadow attributes. You don't mention them, but I assume you are using > shadow attributes to control when passwords expire. This is a somewhat > outdated way of managing password policy. While it's been far from > painless we have ppolicy implemented and mostly working in our shop. > Overall it's worth the investment as it opens up much more > functionality. > > Upgrades aside, what you're trying to do should work. There's a few > things you can check. First - be aware of what the shadow attributes > are set to. This is relevant in troubleshooting. You should look at > the shadowLastChange field to see if that is getting updated when a > user runs passwd from a client. If this isn't happening try checking > whether you have "pam_passwd exop" enabled in your client's /etc/ > ldap.conf. I might be wrong here, but I think this might be needed in > order to get shadowLastChange updating. > And double-check that the shadowLastChange attribute is allowed in your ACLs, only when you are not using the rootdn with your nss/pam configuration > --AP > > On Jun 21, 2008, at 4:47 AM, Kevin Brammer wrote: > > Running the OpenLDAP server bundled with RH ES3. I had OpenLDAP > > running successfully. I could authenticate, pull information from the > > directory - everything seemed great! After the 90 day password rule I > > had put in place, I got the "your password has expired" message. I > > tried to change it, said it was successful. A subsequent login > > received the same message. Again I changed it, and it said successful. > > Now, I can't even login. > > > > I changed my user's password as root using ldappasswd, and a check of > > the entry shows the hash changing accordingly. However, I still can't > > login as the user. > > > > Any ideas? -- Jorge Armando Medina Computación Gráfica de México Web: www.e-compugraf.com Tel: 55 51 40 72 email: firstname.lastname@example.org GPG Key: 1024D/28E40632 2007-07-26 GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632
Description: This is a digitally signed message part.