Hi Brandon, It seems to me that the password policy is being applied to your Directory Manager user. I recall that you can disable password policy for cn=config users but can't find that in the documentation now. It is also worth while reading the second paragraph of 7.1.1.5 in the Admin guide which refers to a bug regarding password policy. That might not be true any more so read it with a pinch of salt. Regards ________________________________________ From: 389-users-bounces at lists.fedoraproject.org [389-users-bounces at lists.fedoraproject.org] on behalf of Brandon G [bjg at solv.com] Sent: 09 August 2010 18:30 To: 389-users at lists.fedoraproject.org Subject: admin account expires, expire time refuses to update I am in a curious situation (and by curious I mean frustratingly annoying). I have enabled strong password policies, including expirations, across my tree (policy of the site). This has since effected my 'admin' account in uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot. I discovered this was happening when I was no longer to login to the IDM/admin console. Unfortunately, the IDM gave a very obtuse error about not being able to find an object. I discovered the real problem when I tried an ldapsearch with the admin uid, and it then returned password expired. This is a side issue, not part of the core problem. I used ldapmodify with "cn=directory manager" and changed the password hash. I can then login with IDM again. I then go (in IDM) to the admin account and I change passwordexpirationtime to be 2040........Z (i.e. some time in the distant future). I save this change; restart the directory server and the account is expired again. If I go through the same reset process and pull up the value, it has not committed the passwordexpirationtime attribute, it is back to the original setting(!?) To be even more confusing, if I do an ldapsearch on the uid=admin account, it doesn't even show the passwordexpirationtime attribute (and thus cannot be updated). I can only see/change this via IDM. Can anybody explain this behavior? Is there a better way to exclude the admin account from the password policies of the server? Can somebody explain why I can see some attributes on uid=admin that cannot be seen with ldapsearch? Versions: 389-ds-console-1.2.0-5 389-admin-1.1.9-1 389-admin-console-1.1.4-2 389-console-1.1.3-5 389-ds-base-1.2.3-1 389-admin-console-doc-1.1.4-2 389-adminutil-1.1.8-4 389-ds-console-doc-1.2.0-5 389-dsgw-1.1.4-1 389-ds-1.1.3-5 RHEL 5.5 Any help/insight into this matter would be greatly appreciated. -B.G. -- 389 users mailing list 389-users at lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________
