[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pwdMaxAge And pwdExpireWarning not working



Nevermind , have got it working now. Issue was that my ldif file had password policies definition after  users definition , so password policies was not getting applied initially on the users (till the password was changed again).
#LDIF file
# admin, people, example.com
dn: uid=admin,ou=people,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson

-
-
-
-
 
# policies, example.com
dn: ou=policies,dc=example,dc=com
ou: policies
objectClass: organizationalUnit
objectClass: top
 

Changing the order in ldif made it work.  Strange issue though.

Regards,
Swapnil


From: Swapnil Dubey <swapnil_k_d2002@yahoo.com>
To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Sent: Thursday, March 21, 2013 11:42 PM
Subject: pwdMaxAge And pwdExpireWarning not working

Hi All,
 
I am using OpenLdap 2.4.32 on solaris 10.  It seems that pwdMaxAge And  pwdExpireWarning  are not working. Other policies like pwdInHistory, pwdLockout seems to work fine. I cannot see either expiry message or authentication failure in logs after I wait for configured time/seconds.  Can somebody help me out with this?
 
-bash-3.00# ./ldapwhoami -x -D uid=admin,ou=People,dc=example,dc=com -W -e ppolicy
Enter LDAP Password:
ldap_bind: Success (0) (Password expires in 0 seconds)
dn:uid=admin,ou=people,dc=example,dc=com
 
Here is  my configuration.
 
 
-bash-3.00# ./ldapsearch -x -b "dc=example,dc=com" "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
 
# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: domain
dc: example
 
# roles, example.com
dn: ou=roles,dc=example,dc=com
objectClass: organizationalUnit
ou: roles
 
# people, example.com
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
 
# admin, people, example.com
dn: uid=admin,ou=people,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson
cn: admin
displayName: Admin
givenName: admin
mail: admin@example.com
sn: Admin
uid: admin
userPassword:: e1NTSEF9NU1WNHpuTHB2N3ZmSkcvaU44VC85QkNJMWVueU5hcDc=
 
# utsacct_provisioner, roles, example.com
dn: cn=utsacct_provisioner,ou=roles,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: utsacct_provisioner
uniqueMember: uid=admin,ou=people,dc=example,dc=com
 
# provisioner, roles, example.com
dn: cn=provisioner,ou=roles,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: provisioner
uniqueMember: uid=admin,ou=people,dc=example,dc=com
 
# policies, example.com
dn: ou=policies,dc=example,dc=com
ou: policies
objectClass: organizationalUnit
objectClass: top
 
# default, policies, example.com
dn: cn=default,ou=policies,dc=example,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 2000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: dummy value
 
# search result
search: 2
result: 0 Success
 
# numResponses: 9
# numEntries: 8
 
 
Slapd.conf
---------------------------------
 
#######################################################################
# BDB database definitions
#######################################################################
 
database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
 
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
 
 
 
 Regards,
Swapnil