[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pwdMustChange and pwdExpireWarning

Hello Buchan
I set pwdReset manually and it worked.  Thank you.
For my issue regarding pwdExpireWarning not displaying warning message when I ssh into my systems, I still can't figure out what I did wrong.  Here is my default policy:
dn: cn=default,ou=Policies,dc=example,dc=company
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 1209600
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 24
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 5184000
pwdMaxFailure: 3
pwdMinLength: 12
pwdMustChange: TRUE
pwdSafeModify: FALSE
pwdMaxAge works perfectly and so does every other attribute, except pwdExpireWarning.  pwdExpireWarning is the only one I am having issues now.  Not sure what I did wrong.  Do you need to know any other details?  Thank you very much for taking your time to help me.

On Mon, Aug 16, 2010 at 11:12 AM, Buchan Milne <bgmilne@staff.telkomsa.net> wrote:
On Thursday, 12 August 2010 21:47:18 Wei Gao wrote:
> I have pwdMustChange set to true in my default ppolicy. I tried to change a
> user's password EITHER as Manager on LDAP server OR via the following
> command on my LDAP server
> ldappasswd -x -D "cn=Manager,dc=example,dc=company" -W -S
> "uid=user1,ou=People,dc=example,dc=company"
> Since I have pwdMustChange set to true, the user should be required to
> change his password when he tries to log in next time.


> But the system
> doesn't prompt the user to change his password. And when I ran slapcat -a
> '(uid=user1)', I saw most Operational Attributes except pwdReset.

You currently have to set pwdReset manually. I don't see any documentation
that indicates that pwdReset should automatically be set when the password is
changed in a specific way.

> All my
> settings seem to be correct. I couldn't figure out what is wrong here.
> One other question I have is: In my default ppolicy, I have
> pwdExpireWarning set to 1209600 (14 days). My current password is going to
> expire in 12 days, how come I don't see a warning message when I ssh to my
> system?

Misconfigured PAM stack probably (authorization, IOW account lines). There have
been previous solutions in previous threads on this topic, and without any
details of your system it isn't possible to assist further.