I have been attempting to use
the ppolicy overlay on an openldap server running on a Red Hat V5.4 platform
with the following components: openldap-servers-2.3.43-3.el5 checkpassword-ldap-0.01-1.2.el5.rf mozldap-6.0.5-1.el5 openldap-2.3.43-3.el5 openldap-debuginfo-2.3.43-3.el5 nss_ldap-253-22.el5_4 openldap-clients-2.3.43-3.el5 openldap-servers-overlays-2.3.43-3.el5 I was unable to get the users
password to expire by simply setting a value for pwdMaxAge without the use of
the pwdReset parameter. I finally turned on all
debugging in the slapd.conf file (value -1) and noticed that the value of
pwdGraceAuthNLimit in the default policy, was set to 3, which allowed the ldap user access without changing
the password. The disturbing thing about
this was the fact that the user is not notifed that their password has
expired. I would have thought that if the intent was to allow an expired password, then the
user should be notified of not only the fact that their password has expired but how
many more grace logins they would be allowed before either having to
change the password or having the account disabled. Is this really what development
had intended or are there some enhancements to this behavior in a later
version ? Thanks, Al Licause HP Services Unix Network Team |