Thanks for the reply. I actually figured out the problem Friday but was tasked with
getting all of the changes done for PCI compliance and didn't have time to mark this
The problem was that there were 2 ppolicy overlay entries - apparently someone created a
ppolicy overlay in 2013 when it was setup but didn't load the module and I didn't
detect the previous ppolicy overlay entry was there until I started looking things over
with the error. I deleted one and then password changes worked - problem solved.
From: openldap-technical [mailto:firstname.lastname@example.org] On Behalf Of
Sent: Saturday, August 29, 2015 12:14 AM
Subject: Re: ppolicy and pwdGraceUseTime
I think you are confusing between the password expiration and account
If your account is locked after several failed attempts to bind, you
cannot modify your passwords.
Le 28/08/2015 18:37, Craig White a écrit :
Adding in policy in already running OpenLDAP installation. Mostly
functional – I was locked out after failed password attempts as expected.
Existing user with password beyond expiration is an issue. It is
extended grace logins as expected but when I try to change the password,
I get an error which appears to be “error 16 – modify/delete:
pwdGraceUseTime: no such attribute”