Hey List,
I wanted to test the scenario where a user had forgotten his password, and needed to have it reset. I wanted to give this user the ability change this temporary password if they wanted. To do this, I:
1. Executed ldappasswd, binding as the rootdn, to change the user's password 2. Used ldapvi to reset the sambaPwdCanChange and sambaPwdLastSet attributes 3. Logged in to the domain as the user 4. Hit Ctrl+Alt+Delete and selected "Change Password"
However, because my ppolicy pwdMinAge hadn't expired yet, the user was unable to change the password. So, it seems necessary to be able to change that value for the user so he/she can change their password. I couldn't find an attribute called pwdMinAge, but I'm assuming that's because it just looks at pwdChangedTime. I 'assume' because I couldn't find explicit documentation stating this, though the man page definition for pwdChangedTime says "[pwdChangedTime] is used by the password expiration policy to determine whether the password is too old to be allowed to be used for user authentication." Is this why I see a NT_STATUS_WRONG_PASSWORD returned from LDAP when a user tries to change a password that is being protected by pwdMinAge?
And, is executing an ldapmodify the proper thing to do in this situation to change the pwdChangedTime and allow the user to change his/her password? E.g.:
ldapmodify -D "cn=admin,dc=example,dc=com" -W dn: uid=someuser,ou=Users,dc=example,dc=com changetype: modify replace: pwdChangedTime pwdChangedTime: 1207690188Z
Thanks as always, Ryan