Howard Chu wrote:
Chris G. Sellers wrote:
pwdMinAge is part of the password policy, not part of the user's record.
The scheme defines pwdMinAge as being part of the objectClass pwdPolicy, so unless you have that in your users record, it will not be there.
I believe you assume correct that it uses math to determine when the password was last changed, and when the current time is. If that does not exceed the value of the password policy entry for pwdMinAge, then the change will fail.
You could change the user's passwordPolicy to be Zero Day password change,but you would have to change it back.
RTFM already. slapo-ppolicy(5), pwdReset.
I set pwdReset to TRUE after setting a reasonable pwdMinAge, and reset the user's password with ldappasswd, binding as the rootdn to make the change. Then, I adjusted the sambaPwdCanChange and sambaPwdLastSet values to something earlier than the current time. Alas, I still get "Password is too young to change" from LDAP. My only recourse at this point is to only enforce the 'min password age' in Samba via pdbedit, but I'd really like to enforce this in LDAP as well as an extra precaution against shell users circumventing the policies laid forth in Samba. Any and all advice and/or clue-stick beatings welcome.
I look forward to the day when the interaction between the two is more seamless/native, which hopefully is in the not-too-distant future; I've been made aware of a new RFC proposal to make Samba play nice with ppolicy: http://www.ietf.org/internet-drafts/draft-zeilenga-ldap-passwords-00.txt