ppolicy and pwdGraceUseTime - openldap-technical

28 Aug 2015


      Openldap 2.4.39
Adding in policy in already running OpenLDAP installation. Mostly functional - I was locked out after failed password attempts as expected.
Existing user with password beyond expiration is an issue. It is extended grace logins as expected but when I try to change the password, I get an error which appears to be  "error 16 - modify/delete: pwdGraceUseTime: no such attribute"
But there is that attribute.
# ldapsearch -x -h localhost '(uid=craig.white)' +
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=obscured> (default) with scope subtree
# filter: (uid=craig.white)
# requesting: +
#
# craig.white, People, obscured
dn: uid=craig.white,ou=People,dc=obscured
entryUUID: c4ae47b4-c3e9-1033-8b0f-497efc42df64
creatorsName: cn=root,dc=obscured
createTimestamp: 20140829170048Z
pwdChangedTime: 20150730153646Z
structuralObjectClass: inetOrgPerson
pwdPolicySubentry: cn=personnelpp,ou=Policies,dc=obscured
pwdGraceUseTime: 20150827230337Z
pwdGraceUseTime: 20150827230344Z
pwdGraceUseTime: 20150827230351Z
pwdGraceUseTime: 20150827230430Z
pwdGraceUseTime: 20150827230441Z
pwdGraceUseTime: 20150827230847Z
pwdGraceUseTime: 20150827230855Z
pwdGraceUseTime: 20150827231032Z
pwdGraceUseTime: 20150827231039Z
pwdGraceUseTime: 20150828152032Z
pwdGraceUseTime: 20150828152038Z
pwdGraceUseTime: 20150828152404Z
pwdGraceUseTime: 20150828152410Z
pwdGraceUseTime: 20150828152527Z
pwdGraceUseTime: 20150828152533Z
pwdGraceUseTime: 20150828152643Z
pwdGraceUseTime: 20150828152648Z
pwdGraceUseTime: 20150828153349Z
pwdGraceUseTime: 20150828153354Z
pwdGraceUseTime: 20150828153619Z
pwdGraceUseTime: 20150828153623Z
entryCSN: 20150828154229.701657Z#000000#000#000000
modifiersName: cn=admin,dc=obscured
modifyTimestamp: 20150828154229Z
entryDN: uid=craig.white,ou=People,dc=obscured
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Why won't it let me change my password?
Craig White
System Administrator
O 623-201-8179   M 602-377-9752
[cid:image001.png@01CF86FE.42D51630]
SkyTouch Technology     4225 E. Windrose Dr.     Phoenix, AZ 85032