Thanks for that good pointer Dieter. Although it will force the user to change his password I'm not sure this will do the trick in our case. We have a custom passwd script that keeps both ldap and nis in sync. With the above I believe the Nis password won't be updated.
So is there a way to actually update the pwdChangedTime? (Even out of pure curiosity)
Thanks
On Aug 17, 2016 11:38, "Dieter Klünter" dieter@dkluenter.de wrote:
Am Wed, 17 Aug 2016 10:46:58 +0200 schrieb "PenguinWhispererThe ." th3penguinwhisperer@gmail.com:
Hi all,
I've noticed that after a password reset pwdChangedTime gets updated.
This is fine. We do have a policy in place that doesn't let you modify your password again within a few days.
I'd like to reset/change this pwdChangedTime so the user can reset his password himself after logging in with the supplied password. However deleting/modifying pwdChangedTime doesn't work.
How should I resolve this? I'm pretty sure this is not an ACL issue as my user matches the first entry and is allowed to write all.
I've seen some docs from IBM about removing pwdChangedTime being possible but that might not apply to openldap.
man slapo-ppolicy(5), read carefully the comments on pwdReset.
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
PenguinWhispererThe . wrote:
So is there a way to actually update the pwdChangedTime? (Even out of pure curiosity)
Use ldapmodify -e relax (Relax Rules Control) which needs manage privilege in access control rules. Use with special caution. You heve been warned.
Ciao, Michael.
Am Thu, 18 Aug 2016 13:06:06 +0200 schrieb "PenguinWhispererThe ." th3penguinwhisperer@gmail.com:
Thanks for that good pointer Dieter. Although it will force the user to change his password I'm not sure this will do the trick in our case. We have a custom passwd script that keeps both ldap and nis in sync. With the above I believe the Nis password won't be updated.
So is there a way to actually update the pwdChangedTime? (Even out of pure curiosity)
man ldapmodify(1), read about relax extension.
-Dieter
Thanks
On Aug 17, 2016 11:38, "Dieter Klünter" dieter@dkluenter.de wrote:
Am Wed, 17 Aug 2016 10:46:58 +0200 schrieb "PenguinWhispererThe ." th3penguinwhisperer@gmail.com:
Hi all,
I've noticed that after a password reset pwdChangedTime gets updated.
This is fine. We do have a policy in place that doesn't let you modify your password again within a few days.
I'd like to reset/change this pwdChangedTime so the user can reset his password himself after logging in with the supplied password. However deleting/modifying pwdChangedTime doesn't work.
How should I resolve this? I'm pretty sure this is not an ACL issue as my user matches the first entry and is allowed to write all.
I've seen some docs from IBM about removing pwdChangedTime being possible but that might not apply to openldap.
man slapo-ppolicy(5), read carefully the comments on pwdReset.
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Cool :) thanks both of you for the feedback!
On Aug 18, 2016 2:12 PM, "Dieter Klünter" dieter@dkluenter.de wrote:
Am Thu, 18 Aug 2016 13:06:06 +0200 schrieb "PenguinWhispererThe ." th3penguinwhisperer@gmail.com:
Thanks for that good pointer Dieter. Although it will force the user to change his password I'm not sure this will do the trick in our case. We have a custom passwd script that keeps both ldap and nis in sync. With the above I believe the Nis password won't be updated.
So is there a way to actually update the pwdChangedTime? (Even out of pure curiosity)
man ldapmodify(1), read about relax extension.
-Dieter
Thanks
On Aug 17, 2016 11:38, "Dieter Klünter" dieter@dkluenter.de wrote:
Am Wed, 17 Aug 2016 10:46:58 +0200 schrieb "PenguinWhispererThe ." th3penguinwhisperer@gmail.com:
Hi all,
I've noticed that after a password reset pwdChangedTime gets updated.
This is fine. We do have a policy in place that doesn't let you modify your password again within a few days.
I'd like to reset/change this pwdChangedTime so the user can reset his password himself after logging in with the supplied password. However deleting/modifying pwdChangedTime doesn't work.
How should I resolve this? I'm pretty sure this is not an ACL issue as my user matches the first entry and is allowed to write all.
I've seen some docs from IBM about removing pwdChangedTime being possible but that might not apply to openldap.
man slapo-ppolicy(5), read carefully the comments on pwdReset.
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
openldap-technical@openldap.org
-
Dieter Klünter -
Michael Ströder -
PenguinWhispererThe .