Hi,

I've recently configured a new openldap 2.4.32 server with the ppolicy overlay. Most of the features like lockout and minLength work fine, but I can't seem to force the user's password to expire. I've even set pwdReset: TRUE on the user's record to try and force them to reset the password, but it doesn't seem to do anything.

Here's my overlay config:

MBP2:~ me$ ldapsearch -h 10.242.25.158 -D "cn=root,cn=config" -x -W -b "cn=config" -s sub "olcOverlay=ppolicy" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: olcOverlay=ppolicy # requesting: ALL #

# {1}ppolicy, {1}bdb, config dn: olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {1}ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=my,dc=domain,dc=com

# search result search: 2 result: 0 Success

# numResponses: 2 # numEntries: 1

And the default pwdPolicy object:

MBP2:~ me$ ldapsearch -h 10.242.25.158 -D "cn=ldapadmin,dc=my,dc=domain,dc=com" -x -W -b "ou=policies,dc=my,dc=domain,dc=com" -s sub "cn=default" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=policies,dc=my,dc=domain,dc=com> with scope subtree # filter: cn=default # requesting: ALL #

# default, policies, my.domain.com dn: cn=default,ou=policies,dc=my,dc=domain,dc=com objectClass: person objectClass: top objectClass: pwdPolicy cn: default pwdAllowUserChange: TRUE pwdAttribute: 2.5.4.35 pwdCheckQuality: 2 pwdExpireWarning: 0 pwdFailureCountInterval: 30 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 300 pwdMaxAge: 11555200 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: TRUE pwdSafeModify: TRUE sn: dummy value

I turned on trace debugging and I do see it successfully loading cn=default,ou=policies,dc=my,dc=domain,dc=com during the bind operation, so it appears that ppolicy is running fine and loading the policy object.

Any ideas?