Thanks for the reply. I actually figured out the problem Friday but was tasked with getting all of the changes done for PCI compliance and didn't have time to mark this as solved.
The problem was that there were 2 ppolicy overlay entries - apparently someone created a ppolicy overlay in 2013 when it was setup but didn't load the module and I didn't detect the previous ppolicy overlay entry was there until I started looking things over with the error. I deleted one and then password changes worked - problem solved.
-----Original Message----- From: openldap-technical [mailto:firstname.lastname@example.org] On Behalf Of Abdelhamid Meddeb Sent: Saturday, August 29, 2015 12:14 AM To: email@example.com Subject: Re: ppolicy and pwdGraceUseTime
I think you are confusing between the password expiration and account lockout.
If your account is locked after several failed attempts to bind, you cannot modify your passwords.
Le 28/08/2015 18:37, Craig White a écrit :
Adding in policy in already running OpenLDAP installation. Mostly functional – I was locked out after failed password attempts as expected.
Existing user with password beyond expiration is an issue. It is extended grace logins as expected but when I try to change the password, I get an error which appears to be “error 16 – modify/delete: pwdGraceUseTime: no such attribute”