Hi All, I am having difficulty to make managing user password policy working. I want to use local per-user based password policy. Here is the configuration I use: containter configuration - dn: cn=nsPwPolicyContainer,ou=people,dc=christianbook,dc=com objectClass: top objectClass: nsContainer cn: nsPwPolicyContainer entry configuration - dn: cn=userPasswordPolicy,cn=nsPwPolicyContainer,ou=people,dc=christianbook,dc=com cn: userPasswordPolicy objectclass: top objectclass: extensibleObject objectclass: ldapsubentry objectclass: passwordpolicy passwordGraceLimit: 3 passwordMustChange: on passwordChange: on passwordExp: on passwordMaxAge: 2 passwordHistory: on passwordCheckSyntax: on nsslapd-pwpolicy-local - dn: cn=config changetype: modify replace: nsslapd-pwpolicy-local nsslapd-pwpolicy-local: on per-user password policy configuration - dn: uid=xinhuan,ou=people,dc=christianbook,dc=com changetype: modify add: pwdpolicysubentry pwdpolicysubentry: cn=userPasswordPolicy,cn=nsPwPolicyContainer,ou=people,dc=christianbook,dc=com However, when I did my userpassword reset using ldapmodify command, I am able to login from the remote client that authenticates with my 389 directory server, without prompting to change my password the first time I login, which is against the 'passwordMustChange' policy. The second thing is that I tried to expire my password so I can test 'passwordExp'. However, when I did 'passwd -e xinhuan' on LDAP client, I got error: Expiring password for user xinhuan. passwd: Error What's going on? Thanks, - xinhuan -- 389-users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
