Hi all,

We're implementing a basic user directory with OpenLDAP and the ppolicy attributes pwdMaxAge and pwdMinAge give use some desired functionality, but we need the ability for managers to reset a user's password.

If we use the “rootdn” then this works, but we need to have other user accounts designated as managers. Even if we define ACLs to give our management group “manage” access we can still get the following from ldappasswd:

Result: Constraint violation (19) Additional info: Password is too young to change

Is there any way to designate a group of users as "managers" such that pwdMinAge is not applied?

These are the ACLs we've tried without success to give the “UserAdmin” group the rights:

cat <<__EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcAccess olcAccess: to attrs=userPassword by self =xw by group.exact="cn=UserAdmin,${LDAP_SERVER_BASE}" manage by anonymous auth by * none olcAccess: to dn.base="ou=Users,${LDAP_SERVER_BASE}" by group.exact="cn=UserAdmin,${LDAP_SERVER_BASE}" manage by * read olcAccess: to dn.children="ou=Users,${LDAP_SERVER_BASE}" filter=(objectClass=posixAccount) by group.exact="cn=UserAdmin,${LDAP_SERVER_BASE}" write by * read olcAccess: to dn.base="cn=UserAdmin,${LDAP_SERVER_BASE}" attrs=member by group.exact="cn=UserAdmin,${LDAP_SERVER_BASE}" write by * read olcAccess: to * by * read - __EOF

Thanks

Phil