[Date Prev][Date Next] [Chronological] [Thread] [Top]

PPolicy Overlay - Wrongly expires user password

OpenLDAP Version: 2.3.5
PPolicy Overlay Version: 1.62

Problem:
PPolicy module determines user password is expired
before pwdMaxAge time has elapsed.

Here's the Password Policy enabled by default for
user's test directory

POLICY OBJECT:
        name    <policy>
        pwdCheckQuality=2
        pwdMaxAge=8640000
        pwdMinAge=0
        pwdMinLength=5
        pwdFailureCountInterval=120
        pwdMaxFailure=3
        pwdMustChange=TRUE
        pwdSafeModify=FALSE
        pwdInHistory=5
        pwdGraceAuthNLimit=5
        pwdLockoutDuration=120
        pwdAllowUserChange=TRUE
        pwdExpireWarning=8640000
        pwdLockout=TRUE


Here's the operational attributes assigned to test
user:

USER OPERATIONAL ATTRIBUTES:
        name    <394359285170458054>
        createTimestamp    <20051003171523Z>
        modifyTimestamp    <20051003171523Z>
        creatorsName    <cn=Manager,dc=fnfis,dc=com>
        modifiersName    <cn=Manager,dc=fnfis,dc=com>
        subschemaSubentry    <cn=Subschema>
        pwdPolicySubentry    <null>
        pwdChangedTime    <null>
        pwdAccountLockedTime    <null>
        pwdExpirationWarned    <null>
        pwdFailureTime    <null>
        pwdGraceUseTime    <20051003210223Z>
        pwdReset    <null>

The following listing is from slapd log:

** start log trace **

ppolicy_bind: Entry
cn=394359285170458054,ou=People,dc=fnfis,dc=com does
not have valid pwdChangedTime attribute - assuming
password expired
ppolicy_bind: Entry
cn=394359285170458054,ou=People,dc=fnfis,dc=com has an
expired password: 3 grace logins

** end of log trace **

Observation:

PPolicy module doesn't like a null pwdChangedTime
attribute.  


Any ideas on what the corrective action might be?

Thanks and regards,

Shawn McKinney