[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antw: Re: Meaning of "ppolicy_bind: Setting warning for password expiry for ... = 0 seconds"?

To: <openldap-technical@openldap.org>,<michael@stroeder.com>
Subject: Antw: Re: Meaning of "ppolicy_bind: Setting warning for password expiry for ... = 0 seconds"?
From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
Date: Thu, 06 Nov 2014 09:44:56 +0100
Content-disposition: inline
In-reply-to: <545B2E53.7070404@stroeder.com>
References: <545B3A80020000A100017B5F@gwsmtp1.uni-regensburg.de> <545B2E53.7070404@stroeder.com>

>>> Michael Ströder <michael@stroeder.com> schrieb am 06.11.2014 um 09:16 in
Nachricht <545B2E53.7070404@stroeder.com>:
> Which OpenLDAP version?
> 
> You can search for the message in source file
> servers/slapd/overlays/ppolicy.c
> 
> Reading the comment setting warn = 0 should not happen.
> 
> Does uid=testuser,ou=domain,dc=org really have a correct 'pwdChanged'
> attribute value?

Hi!

You are on the right track: None of our users has a 'pwdChanged' attribute!
Which is also not surprising, because I could not find that attribute in the
objectclasses being used:
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: shadowAccount

However I see these attributes being modified since ppolicy is active:
pwdChangedTime
pwdFailureTime
pwdGraceUseTime
pwdHistory

Could it be you meant "pwdChangedTime" instead? If so, could the problem be
that that attribute is created only after ppolicy is active _and_ the user
actually changed the password?

If so, an heuristic would be to assume the password is not older than
createTimestamp if pwdChangedTime is missing.

Regards,
Ulrich

> 
> Ciao, Michael.
> 
> Ulrich Windl wrote:
>> Hi!
>> 
>> Can someone explain what this message is actually saying:
>>  slapd[3990]: ppolicy_bind: Setting warning for password expiry for 
> uid=testuser,ou=domain,dc=org = 0 seconds
>> 
>> Does this mean a user who mistyped his password before logged in 
> successfully now?
>> 
>> I saw no change to the LDAP database after this message, so what is
changed, 
> and where is it cahnged? Also those "0 seconds" don't match my password 
> policy, which looks like this (still testing):
>> 
>> --
>> objectClass: namedObject
>> objectClass: pwdPolicy
>> cn: PP-Default
>> pwdAttribute: userPassword
>> pwdMinAge: 30
>> pwdMaxAge: 86400000
>> pwdInHistory: 3
>> pwdCheckQuality: 1
>> pwdMinLength: 8
>> pwdExpireWarning: 604800
>> pwdGraceAuthNLimit: 5
>> pwdLockout: TRUE
>> pwdLockoutDuration: 1800
>> pwdMaxFailure: 10
>> pwdFailureCountInterval: 1209600
>> pwdMustChange: TRUE
>> pwdAllowUserChange: TRUE
>> pwdSafeModify: FALSE
>> --
>> 
>> I'm running SLES11 SP3...
>> 
>> Regards,
>> Ulrich

Follow-Ups:
- Re: Antw: Re: Meaning of "ppolicy_bind: Setting warning for password expiry for ... = 0 seconds"?
  - From: "Michael Ströder" <michael@stroeder.com>

References:
- Meaning of "ppolicy_bind: Setting warning for password expiry for ... = 0 seconds"?
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
- Re: Meaning of "ppolicy_bind: Setting warning for password expiry for ... = 0 seconds"?
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Meaning of "ppolicy_bind: Setting warning for password expiry for ... = 0 seconds"?
Next by Date: Re: Antw: Re: Meaning of "ppolicy_bind: Setting warning for password expiry for ... = 0 seconds"?
Index(es):
- Chronological
- Thread