[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
PPolicy Overlay - Wrongly expires user password
- To: OpenLDAP-software@OpenLDAP.org
- Subject: PPolicy Overlay - Wrongly expires user password
- From: Shawn McKinney <smmtech2@sbcglobal.net>
- Date: Mon, 3 Oct 2005 14:27:07 -0700 (PDT)
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=sbcglobal.net; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=eymE3/Z5I4hjRl4YeYv+/eamH9chmsSJUs/+4+1k2tHqRQvMnLiqs0ByZz2rCE2BevtMLk2JDoyAT6pNaGT/8wHuhD+tIykbp6tcO90/EyWlzw3fpOVmtzL2sy/EahU4/72IP60Lz9tt328dnploaKWKN70z7LVUgO7Wq+tePdY= ;
OpenLDAP Version: 2.3.5
PPolicy Overlay Version: 1.62
Problem:
PPolicy module determines user password is expired
before pwdMaxAge time has elapsed.
Here's the Password Policy enabled by default for
user's test directory
POLICY OBJECT:
name <policy>
pwdCheckQuality=2
pwdMaxAge=8640000
pwdMinAge=0
pwdMinLength=5
pwdFailureCountInterval=120
pwdMaxFailure=3
pwdMustChange=TRUE
pwdSafeModify=FALSE
pwdInHistory=5
pwdGraceAuthNLimit=5
pwdLockoutDuration=120
pwdAllowUserChange=TRUE
pwdExpireWarning=8640000
pwdLockout=TRUE
Here's the operational attributes assigned to test
user:
USER OPERATIONAL ATTRIBUTES:
name <394359285170458054>
createTimestamp <20051003171523Z>
modifyTimestamp <20051003171523Z>
creatorsName <cn=Manager,dc=fnfis,dc=com>
modifiersName <cn=Manager,dc=fnfis,dc=com>
subschemaSubentry <cn=Subschema>
pwdPolicySubentry <null>
pwdChangedTime <null>
pwdAccountLockedTime <null>
pwdExpirationWarned <null>
pwdFailureTime <null>
pwdGraceUseTime <20051003210223Z>
pwdReset <null>
The following listing is from slapd log:
** start log trace **
ppolicy_bind: Entry
cn=394359285170458054,ou=People,dc=fnfis,dc=com does
not have valid pwdChangedTime attribute - assuming
password expired
ppolicy_bind: Entry
cn=394359285170458054,ou=People,dc=fnfis,dc=com has an
expired password: 3 grace logins
** end of log trace **
Observation:
PPolicy module doesn't like a null pwdChangedTime
attribute.
Any ideas on what the corrective action might be?
Thanks and regards,
Shawn McKinney