Hello List,
Having been troubled in the past with account expiration on an
iplanet5.1 server with linux clients, I wanted to get this working
during my evaluation / testing of FDS.
I have enabled the password policy on the FDS and set the ldap.conf
entries necessary to get this working. Upon doing this and then
logging in and out, new fields appear in the people container for that
account. Such as passwordexpirationtime, passwordretrycount, etc... All
is working, such as, a passwd change will update the necessary fields
for the correct length of time reset counts, etc...
When testing the password expiration warning I stumbled onto the issue,
that I do not get an actual "Your password will expire in XX days"
message. I do see where the field, passwordexpwarned is set to "1", but
I do not ever get an actual message.
The way I am testing is to set the policy to warn the user, 3 days in
advance. Then I set the passwordexpiratontime to a date less than three
days away. Then attempt to log in. Login is ok, but no warning of the
impending doom about to strike the account.
If I actually set the expirationtime to a time less than the current,
then I can login until passwordusergracetime is GE the allowed number of
logins after the password expiration. At which time I get a message
that the password expired and it must be changed immediately, at which
time the connection immediately closes and the password cannot be changed!
No log entries in error, so I am not sure what I have overlooked?
Any advice or suggestions?
Also when doing an ldapsearch and binding as an admin user I can not see
the entries for the passwordXXXXXXX fields. Is there a certain
ldapsearch switch to see those? Possibly an ACI missing on my part?
TIA
--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
