pwdMinAge is part of the password policy, not part of the user's record.
The scheme defines pwdMinAge as being part of the objectClass pwdPolicy, so unless you have that in your users record, it will not be there.
I believe you assume correct that it uses math to determine when the password was last changed, and when the current time is. If that does not exceed the value of the password policy entry for pwdMinAge, then the change will fail.
You could change the user's passwordPolicy to be Zero Day password change,but you would have to change it back.
RTFM already. slapo-ppolicy(5), pwdReset.
Ryan Steele skrev, on 08-04-2008 23:35:
I wanted to test the scenario where a user had forgotten his password, and needed to have it reset. I wanted to give this user the ability change this temporary password if they wanted. To do this, I:
However, because my ppolicy pwdMinAge hadn't expired yet, the user was unable to change the password. So, it seems necessary to be able to change that value for the user so he/she can change their password. I couldn't find an attribute called pwdMinAge, but I'm assuming that's because it just looks at pwdChangedTime.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/