I have been attempting to use the ppolicy overlay on an openldap server running

on a Red Hat V5.4 platform with the following components:











I was unable to get the users password to expire by simply setting  a value for

pwdMaxAge without the use of the pwdReset parameter.     


I finally turned on all debugging in the slapd.conf file (value -1) and noticed that

the value of pwdGraceAuthNLimit in the default policy,  was set to 3, which allowed

the ldap user access without changing the password.


The disturbing thing about this was the fact that the user is not notifed that their

password has expired.   I would have thought that if the intent was to allow an

expired password, then the user should be notified of not only the fact that their

password has expired but how many more grace logins they would be allowed

before either having to change the password or having the account disabled.


Is this really what development had intended or are there some enhancements

to this behavior in a later version ?




Al Licause

HP Services

Unix Network Team