I did a test with your suggestion and now It is working when I change
the pwdMaxAge to some short time as 15 seconds but I don't receive any
message invite me to change the password or any warning message for
I see the follow message in debug mode:
uid=user1,ou=People,dc=sample,dc=com has an expired password
I set the attributes in default Policies:
In my ldap client I have set:
Do I have to change something in PAM?
Thanks in advance!
On 08/29/2012 03:59 PM, Guillaume Rousse wrote:
Le 29/08/2012 20:52, cbulist a écrit :
> Thanks Clement and Guillaume for your reply.
> This is my operational attributes for my user:
> dn: cn=user1,ou=policies,dc=samle,dc=com
> objectClass: pwdPolicy
> objectClass: top
> objectClass: shadowAccount
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> cn: user1
> pwdAttribute: userPassword
> sn: user1
> uid: user1
> pwdAllowUserChange: TRUE
> pwdExpireWarning: 10
> pwdLockout: TRUE
> pwdMaxAge: 15
> pwdMustChange: TRUE
Those are plain attributes, not *operational* attributes.
> I know that my access configuration is dangereous but how I am testing I
> just want to be sure don't block anything.
> If I understood your concept I can't use pwdPolicy for unix account. Is
> there any way to control password history with shadowAccount?..
Not with shadowAccount, but with password policy. Just create a
pwdPolicy object, instance of pwdPolicy class, and apply it to either
all your users, through slapd.conf ppolicy_default setting, or just to
some of your users, through its operational pwdPolicySubentry attribute.
Basically, you should have distinct user and policy objects, such as: