Re: A question about pwdMinAge

[Ryan Steele <rsteele@archer-group.com>]

Howard Chu wrote:
> Chris G. Sellers wrote:
>> pwdMinAge is part of the password policy, not part of the user's record.
>>
>> The scheme defines pwdMinAge as being part of the objectClass
>> pwdPolicy, so unless you have that in your users record, it will not
>> be there.
>>
>> I believe you assume correct that it uses math to determine when the
>> password was last changed, and when the current time is.  If that does
>> not exceed the value of the password policy entry for pwdMinAge, then
>> the change will fail.
>>
>> You could change the user's passwordPolicy to be Zero Day password
>> change,but you would have to change it back.
>
> RTFM already. slapo-ppolicy(5), pwdReset.
>
I set pwdReset to TRUE after setting a reasonable pwdMinAge, and reset
the user's password with ldappasswd, binding as the rootdn to make the
change.  Then, I adjusted the sambaPwdCanChange and sambaPwdLastSet
values to something earlier than the current time.  Alas, I still get
"Password is too young to change" from LDAP.  My only recourse at this
point is to only enforce the 'min password age' in Samba via pdbedit,
but I'd really like to enforce this in LDAP as well as an extra
precaution against shell users circumventing the policies laid forth in
Samba.  Any and all advice and/or clue-stick beatings welcome. 

I look forward to the day when the interaction between the two is more
seamless/native, which hopefully is in the not-too-distant future; I've
been made aware of a new RFC proposal to make Samba play nice with
ppolicy:
http://www.ietf.org/internet-drafts/draft-zeilenga-ldap-passwords-00.txt