On Mon, 2017-06-26 at 17:16 +0000, Mitch Patenaude wrote: > I'm trying to migrate my organization of FDS, but policy requires a 90 day password expiration, and pam_ldap modules aren't forcing password changes even after the password expired. > > I saw in a thread back from 2011 that somebody was having an issue where setting passwordExpirationTime to 19700101000000Z would force a change, but 19700101000001Z wouldn't. Well... even setting to 19700101000000Z doesn't work for me. > > intdns1-01-lv:~ mpatenaude$ luser mitchtest2 > dn: uid=mitchtest2,ou=People,dc=prod,dc=shutterfly,dc=com > passwordExpirationTime: 19700101000000Z > loginShell: /bin/bash > uid: mitchtest2 > cn: Mitch Test2 > givenName: Mitch > sn: Test2 > mail: mitchtest2@xxxxxxxxxxxxxx > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > objectClass: ldapPublicKey > uidNumber: 5134 > gidNumber: 5134 > homeDirectory: /home/mitchtest2 > gecos: Mitch Test2 > > But it lets that account log in without prompting for a password change. > > Any ideas? It's probably worth reading https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/user_account_management#Configuring_the_Password_Policy-Configuring_a_Global_Password_Policy_Using_the_Command_Line I would check that the date-format is correct (enough digits). Check the number of grace logins you have as well. Finally, to help us diagnose this, it would be good to see the password policy related attributes from cn=config, Thanks, -- Sincerely, William Brown Software Engineer Red Hat, Australia/Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
