[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Please help me with ppolicy pwdReset

On Jul 18, 2008, at 10:22 PM, Scott Classen wrote:

Hi All,

this is my default ppolicy:

dn: cn=default,ou=Policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: top
objectClass: device
pwdAttribute: userPassword
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdAllowUserChange: TRUE
cn: default
pwdSafeModify: FALSE
pwdExpireWarning: 0
pwdInHistory: 1
pwdMinLength: 7
pwdGraceAuthNLimit: 1
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxAge: 63072000
pwdCheckQuality: 2
pwdMustChange: TRUE
pwdMinAge: 0

Here is an example of a user with their pwdReset attribute set to TRUE. I've only included the relevant lines:

dn: uid=newguy,ou=People,dc=example,dc=com
pwdChangedTime: 20080718234642Z
pwdReset: TRUE
pwdPolicySubentry: cn=default,ou=Policies,dc=example,dc=com

Shouldn't this user be requested to change their password the next time the log in?

Well they're not. logins a successful and there is no prompting for a new password.

Can someone please help me trouble shoot this?


Well I fixed the problem. I just needed to add the following line to my client /etc/ldap.conf files

pam_lookup_policy yes
Yeah! now users are prompted to change their passwords.