Tony Earnshaw wrote:
My site uses ppolicy with great success.
Ryan Steele skrev, on 08-04-2008 23:35:
> I wanted to test the scenario where a user had forgotten his password,
> and needed to have it reset. I wanted to give this user the ability
> change this temporary password if they wanted. To do this, I:
> 1. Executed ldappasswd, binding as the rootdn, to change the user's
> 2. Used ldapvi to reset the sambaPwdCanChange and sambaPwdLastSet
Fie. That's part of what 'overlay smbk5pwd' is for. Does it
I'm using smbk5pwd, but I think you're missing the point here. Users
can change their passwords just fine thanks to the overlay, but not if I
reset the password, because then the sambaPwdCanChange, sambaPwdLastSet,
and pwdChangedTime (or pwdMinAge) gets updated. The first two I can fix
easily, the third is where I run in to trouble.
> 3. Logged in to the domain as the user
> 4. Hit Ctrl+Alt+Delete and selected "Change Password"
> However, because my ppolicy pwdMinAge hadn't expired yet, the user was
> unable to change the password. So, it seems necessary to be able to
> change that value for the user so he/she can change their password. I
> couldn't find an attribute called pwdMinAge, but I'm assuming that's
> because it just looks at pwdChangedTime.
The pwdMinAge attribute exists. Perhaps a GUI such as gq could help here.
I shouldn't need a GUI to administer the directory, but nevertheless I
installed phpldapadmin, and it doesn't see a pwdMinAge attribute in the
user's entry. Neither slapcat nor ldapvi can find this attribute on the
> I 'assume' because I couldn't
> find explicit documentation stating this, though the man page definition
> for pwdChangedTime says "[pwdChangedTime] is used by the password
> expiration policy to determine whether the password is too old to be
> allowed to be used for user authentication." Is this why I see a
> NT_STATUS_WRONG_PASSWORD returned from LDAP when a user tries to change
> a password that is being protected by pwdMinAge?
No, pwdMinAge has nothing to do with Samba, Samba doesn't use it - see
It _does_ affect being able to change your password when logged into a
Samba controlled domain. Adding a pwdMinAge attribute to my password
policy prevents the user from being able to change his/her password
after it's been reset by an administrator. I'm familiar with pdbedit,
but I fail to see how that will help me solve this problem. I'm happy
to be convinced otherwise, though.
> And, is executing an ldapmodify the proper thing to do in this situation
> to change the pwdChangedTime and allow the user to change his/her
> password? E.g.:
> ldapmodify -D "cn=admin,dc=example,dc=com" -W
> dn: uid=someuser,ou=Users,dc=example,dc=com
> changetype: modify
> replace: pwdChangedTime
> pwdChangedTime: 1207690188Z
pwdChangedTime is an operational attribute and cannot be changed by
*any* user, it is the directory that has to change it.
Well then, how does one accomplish what I'm trying to do? If a user
forgets his/her password, and an admin resets it, I want the user to be
able to change it to something they're comfortable with (which adheres
to the restrictions), but short of removing the pwdMinAge attribute from
my password policy, I can't seem to figure out how that is possible.
Thanks as always,