RE: ppolicy and pwdGraceUseTime

[Craig White <CWhite@skytouchtechnology.com>]

Thanks for the reply. I actually figured out the problem Friday but was tasked with getting all of the changes done for PCI compliance and didn't have time to mark this as solved.

The problem was that there were 2 ppolicy overlay entries - apparently someone created a ppolicy overlay in 2013 when it was setup but didn't load the module and I didn't detect the previous ppolicy overlay entry was there until I started looking things over with the error. I deleted one and then password changes worked - problem solved.

-----Original Message-----
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Abdelhamid Meddeb
Sent: Saturday, August 29, 2015 12:14 AM
To: openldap-technical@openldap.org
Subject: Re: ppolicy and pwdGraceUseTime

Hi,

I think you are confusing between the password expiration and account 
lockout.

If your account is locked after several failed attempts to bind, you 
cannot modify your passwords.

Cheers.

Le 28/08/2015 18:37, Craig White a écrit :
> Openldap 2.4.39
>
> Adding in policy in already running OpenLDAP installation. Mostly
> functional – I was locked out after failed password attempts as expected.
>
> Existing user with password beyond expiration is an issue. It is
> extended grace logins as expected but when I try to change the password,
> I get an error which appears to be  “error 16 – modify/delete:
> pwdGraceUseTime: no such attribute”
>

-- 
*Abdelhamid Meddeb*
http://www.meddeb.net