Hello,
I'm upgrading our LDAP infrastructure (it'll be a cut-over) and I've noticed that after adding pwdPolicySubentry to a user's account, it doesn't seem to have any affect.
This user hasn't /ever/ reset their password, and the user's account doesn't show any password policy grace period usage after the test.
The pwdPolicySubentry is still the only password policy related entry on his account.
This suggests that I'll need to force people to change their password's at some point.
1) Is what I'm seeing normal/expected? 2) What method(s) have you used to force people to change their password - beyond asking them?
Thanks! - chris
Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations Apollo Group | Apollo Marketing | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
pwdPolicySubentry should work -it's honored in place of the default password policy which is set in your config. If it doesn't work than likely your config lacks the necessary directives to use ppolicy. As far as enforcement pwdMustchange can be set in your policy which looks at the entrys pwdReset value. If both are true then ldap will allow a limited set of rights on the dn enough to bind as tls or ssl and change his or her password.
On Mar 23, 2010, at 5:19 PM, Chris Jacobs Chris.Jacobs@apollogrp.edu wrote:
Hello,
I'm upgrading our LDAP infrastructure (it'll be a cut-over) and I've noticed that after adding pwdPolicySubentry to a user's account, it doesn't seem to have any affect.
This user hasn't /ever/ reset their password, and the user's account doesn't show any password policy grace period usage after the test.
The pwdPolicySubentry is still the only password policy related entry on his account.
This suggests that I'll need to force people to change their password's at some point.
- Is what I'm seeing normal/expected?
- What method(s) have you used to force people to change their
password - beyond asking them?
Thanks!
- chris
Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations Apollo Group | Apollo Marketing | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
openldap-technical@openldap.org