On 10/25/2016 11:10 AM, Mark Reynolds
wrote:
On 10/25/2016 10:37 AM, Alberto Viana
wrote:
Hello,
Version
I'm trying to implement password expiration policy with
no sucess, I've changed my config:
dn: cn=config
changetype: modify
replace: passwordExp
passwordExp: on
-
replace: passwordMaxAge
passwordMaxAge: 120
But after that I'm still able to bind with my(or any)
user in 389.
Am I missing something? Also, what attribute 389 uses
to control that? I could not see any attribute in my user
related to that.
Additionally, make sure "passwordChange: on" is set in cn=config
(so users can change their passwords)
After setting this you must change the password in the entry (this
sets the passwordexpirationtime operational attribute in the
entry).
I forgot to mention that you MUST change the password as the user,
not "directory manager" or some admin account. Changing the
password as directory manager will not set the
passwordexpirationtime operational attribute in the entry (as
Directory Manager bypasses password policy).
Then the expiration time will be enforced on future
logins for that entry. These settings do not work retroactively.
Hope this helps,
Mark
All changes were based on this doc:
Thanks.
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
|
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
