[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pwdRESET not working

To: openldap-technical@openldap.org
Subject: Re: pwdRESET not working
From: Clément OUDOT <clement.oudot@worteks.com>
Date: Tue, 22 May 2018 10:21:34 +0200
Content-language: fr-FR
In-reply-to: <CAP7y58NojJJMDV8G=93DuDWgQCgmJ9bkvnHZjLcnr0AAnebG-g@mail.gmail.com>
Organization: Worteks
References: <CAP7y58PYuoLJusteEuCwdsce_wyWj2oQjEkQrKap+7RV1m-CAw@mail.gmail.com> <acb181e8-c665-369b-486b-536cd5c2ddde@worteks.com> <ef40298a-d821-c66a-4112-6beead399e0d@gmail.com> <CAP7y58NojJJMDV8G=93DuDWgQCgmJ9bkvnHZjLcnr0AAnebG-g@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Thunderbird/52.7.0



Le 21/05/2018 à 17:10, Net Warrior a écrit :

Hello
When I force the expiration changing pwdMaxAge what I can see in the
log is the following:

  ppolicy_bind: Entry uid=jdoe,ou=Users,dc=domain,dc=com has an expired
password: 0 grace logins

I test the login, I get two warning as configured but the user is
never  forced to change it and can login as usual, any hint on this?



Seems you are mixing OpenLDAP ppolicy and shadow policy.

Anyway, if the OpenLDAP ppolicy has expired the password, you should notbe able to log in, unless you set some cache or failback on local account.

You should test with ldapsearch or ldapwhoami command to understand thebehavior of OpenLDAP ppolicy. Then you can configure pam/sssd to fityour needs.


--
Clément Oudot | Identity Solutions Manager

Worteks | https://www.worteks.com

References:
- pwdRESET not working
  - From: Net Warrior <netwarrior863@gmail.com>
- Re: pwdRESET not working
  - From: Clément OUDOT <clement.oudot@worteks.com>
- Re: pwdRESET not working
  - From: Net Warrior <netwarrior863@gmail.com>

Prev by Date: Re: pwdRESET not working
Next by Date: Re: Understanding slapd connections
Index(es):
- Chronological
- Thread