Nevermind , have got it working now. Issue was that my ldif file had password policies definition after users definition , so password policies was not getting applied initially on the users (till the password was changed again). #LDIF file
# admin, people, example.com dn: uid=admin,ou=people,dc=example,dc=com objectClass: person objectClass: inetOrgPerson - - - -
# policies, example.com dn: ou=policies,dc=example,dc=com ou: policies objectClass: organizationalUnit objectClass: top
Changing the order in ldif made it work. Strange issue though.
Regards,
Swapnil
________________________________ From: Swapnil Dubey swapnil_k_d2002@yahoo.com To: "openldap-technical@openldap.org" openldap-technical@openldap.org Sent: Thursday, March 21, 2013 11:42 PM Subject: pwdMaxAge And pwdExpireWarning not working
Hi All, I am using OpenLdap 2.4.32 on solaris 10. It seems that pwdMaxAge And pwdExpireWarning are not working. Other policies like pwdInHistory, pwdLockout seems to work fine. I cannot see either expiry message or authentication failure in logs after I wait for configured time/seconds. Can somebody help me out with this? -bash-3.00# ./ldapwhoami -x -D uid=admin,ou=People,dc=example,dc=com -W -e ppolicy Enter LDAP Password: ldap_bind: Success (0) (Password expires in 0 seconds) dn:uid=admin,ou=people,dc=example,dc=com Here is my configuration. -bash-3.00# ./ldapsearch -x -b "dc=example,dc=com" "(objectclass=*)" # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: dcObject objectClass: domain dc: example # roles, example.com dn: ou=roles,dc=example,dc=com objectClass: organizationalUnit ou: roles # people, example.com dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people # admin, people, example.com dn: uid=admin,ou=people,dc=example,dc=com objectClass: person objectClass: inetOrgPerson cn: admin displayName: Admin givenName: admin mail: admin@example.com sn: Admin uid: admin userPassword:: e1NTSEF9NU1WNHpuTHB2N3ZmSkcvaU44VC85QkNJMWVueU5hcDc= # utsacct_provisioner, roles, example.com dn: cn=utsacct_provisioner,ou=roles,dc=example,dc=com objectClass: groupOfUniqueNames cn: utsacct_provisioner uniqueMember: uid=admin,ou=people,dc=example,dc=com # provisioner, roles, example.com dn: cn=provisioner,ou=roles,dc=example,dc=com objectClass: groupOfUniqueNames cn: provisioner uniqueMember: uid=admin,ou=people,dc=example,dc=com # policies, example.com dn: ou=policies,dc=example,dc=com ou: policies objectClass: organizationalUnit objectClass: top # default, policies, example.com dn: cn=default,ou=policies,dc=example,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 2000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value # search result search: 2 result: 0 Success # numResponses: 9 # numEntries: 8 Slapd.conf --------------------------------- ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext Regards, Swapnil