|
On 02/28/2017 02:25 AM,
tuan88@xxxxxxxxx wrote:
But you are using subtree policies, these override the global policy. You need set to passwordHistory in your subtree policy:hpasswordHistory is not set in your policy config, thus it is not beingen forced:yes it is, i had set it the last many years pls see the screendump in my first thread dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DInfrastructure\2Cdc\3Dnnit,cn=nsPwPolicyContainer,ou=Infrastructure,dc=nnit passwordStorageScheme: ssha passwordGraceLimit: 1 passwordChange: on passwordWarning: 86400 passwordMinAge: 0 passwordExp: on passwordMustChange: on passwordMaxAge: 86400 objectClass: ldapsubentry objectClass: passwordpolicy objectClass: top cn: cn=nsPwPolicyEntry,ou=Infrastructure,dc=nnit passwordHistory: 12Also it looks like the passwords were never reset by the actual user. Hence the passwordExpirationtime is still set to the EPOCH date. Note - the Directory Manager account completely bypasses password policy. So if you change the password as directory manager it will let you do whatever you want. So make sure you always change passwords as a "database user" if you expect password policies to be enforced. This is why client applications should NEVER use directory manager - it is an unrestricted account. Policy settings from GUI: www.chezmoi.dk/389-passwd-not-expire.png bt Tuan _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx |
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
