pwdMustChange and pwdExpireWarning

To: openldap-technical@openldap.org

Subject: pwdMustChange and pwdExpireWarning

From: Wei Gao <weigao88@gmail.com>

Date: Thu, 12 Aug 2010 16:47:18 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=xE+WEx41kf58C6XXmxt0WFxEb0VBPG8YyGCj8yAitk0=; b=ggzv5GwswrtSWmVljQaRifZese4sBOlrRlfaUD9itzA9OK28nM7d0tctmuWTaiFroV ZDDnmBASf7NbOD3X+OX2Su7BxMPW38ygnnExVCF2+aBZsokjhieaDp3uSh6IvIStdDxZ vTanAA4P0PBMQ4HB1YGyci3tgjRTngsS/B3wg=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=PX7sBY/3hB4MAe4Xufq03qLVElq77Zj5o4y0L2BBDvaBaJEyF5f7ZTWf9moeZjHex5 owRf4nrwCfAyaVflzEpbMh5C+Xwf8feocn8uTNRL7GTuYkUB7JsEsrPl/vuls8D16mTY RiHtt6O8B3/W1kAcPRJ5xHyFbZbPQL08lPsXo=

I have pwdMustChange set to true in my default ppolicy. I tried to change a user's password EITHER as Manager on LDAP server OR via the following command on my LDAP server

ldappasswd -x -D "cn=Manager,dc=example,dc=company" -W -S "uid=user1,ou=People,dc=example,dc=company"

Since I have pwdMustChange set to true, the user should be required to change his password when he tries to log in next time. But the system doesn't prompt the user to change his password. And when I ran slapcat -a '(uid=user1)', I saw most Operational Attributes except pwdReset. All my settings seem to be correct. I couldn't figure out what is wrong here.

One other question I have is: In my default ppolicy, I have pwdExpireWarning set to 1209600 (14 days). My current password is going to expire in 12 days, how come I don't see a warning message when I ssh to my system?

Thank you for your help.

Regards

Wei

Follow-Ups:

Re: pwdMustChange and pwdExpireWarning
- From: Buchan Milne <bgmilne@staff.telkomsa.net>