[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: A question about pwdMinAge

To: openldap-software <openldap-software@openldap.org>
Subject: Re: A question about pwdMinAge
From: Tony Earnshaw <tonni@hetnet.nl>
Date: Wed, 09 Apr 2008 09:04:45 +0200
In-reply-to: <47FBE51B.5000108@archer-group.com>
References: <47FBE51B.5000108@archer-group.com>
User-agent: Thunderbird 2.0.0.12 (X11/20080213)

My site uses ppolicy with great success.

Ryan Steele skrev, on 08-04-2008 23:35:

I wanted to test the scenario where a user had forgotten his password,
and needed to have it reset.  I wanted to give this user the ability
change this temporary password if they wanted.   To do this, I:

1. Executed ldappasswd, binding as the rootdn, to change the user's password
2. Used ldapvi to reset the sambaPwdCanChange and sambaPwdLastSet attributes


Fie. That's part of what 'overlay smbk5pwd' is for. Does it automatically.

3. Logged in to the domain as the user
4. Hit Ctrl+Alt+Delete and selected "Change Password"

However, because my ppolicy pwdMinAge hadn't expired yet, the user was
unable to change the password.  So, it seems necessary to be able to
change that value for the user so he/she can change their password.  I
couldn't find an attribute called pwdMinAge, but I'm assuming that's
because it just looks at pwdChangedTime.


The pwdMinAge attribute exists. Perhaps a GUI such as gq could help here.

I 'assume' because I couldn't
find explicit documentation stating this, though the man page definition
for pwdChangedTime says "[pwdChangedTime] is used by the password
expiration policy to determine whether the password is too old to be
allowed to be used for user authentication."  Is this why I see a
NT_STATUS_WRONG_PASSWORD returned from LDAP when a user tries to change
a password that is being protected by pwdMinAge?

No, pwdMinAge has nothing to do with Samba, Samba doesn't use it - see pdbedit -P.

And, is executing an ldapmodify the proper thing to do in this situation
to change the pwdChangedTime and allow the user to change his/her
password?  E.g.:

ldapmodify -D "cn=admin,dc=example,dc=com" -W
dn: uid=someuser,ou=Users,dc=example,dc=com
changetype: modify
replace: pwdChangedTime
pwdChangedTime: 1207690188Z

pwdChangedTime is an operational attribute and cannot be changed by *any* user, it is the directory that has to change it.

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl

Follow-Ups:
- Re: A question about pwdMinAge
  - From: Ryan Steele <rsteele@archer-group.com>

References:
- A question about pwdMinAge
  - From: Ryan Steele <rsteele@archer-group.com>

Prev by Date: Re: Is Master-Master architecture available in openldap?
Next by Date: Re: Problem with back-ldap and slapo-rwn
Index(es):
- Chronological
- Thread