On Thu, Apr 16, 2015, at 06:38 AM, rockwang wrote:
Hi, all
I set policy for user as following# default, policies, abc.com dn: cn=default,ou=policies,dc=abc,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMaxAge: 7776002 pwdExpireWarning: 432000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 5 pwdLockout: TRUE pwdLockoutDuration: 900 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE
my question is how to check user lock status.
with this policy an entry will have its password expired (will be denied BIND with a invalid credential message) when # account.pwdLastChange + policy.pwdMaxAge > $currentTimestamp #
Another question is pwdMustChange doesn't work in linux client when user first login.
both pwdMustChange (in the policy) and pwdReset (on the entry) must be set if you want the client to force an entry password to be reset before logging it in
Rock.wang
dario zanzico