Re: [389-users] admin account expires, expire time refuses to update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Brandon,
It seems to me that the password policy is being applied to your Directory Manager user. I recall that you can disable password policy for cn=config users but can't find that in the documentation now. It is also worth while reading the second paragraph of 7.1.1.5 in the Admin guide which refers to a bug regarding password policy. That might not be true any more so read it with a pinch of salt. 

Regards
________________________________________
From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] on behalf of Brandon G [bjg@xxxxxxxx]
Sent: 09 August 2010 18:30
To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [389-users] admin account expires, expire time refuses to update

I am in a curious situation (and by curious I mean frustratingly
annoying). I have enabled strong password policies, including
expirations, across my tree (policy of the site).  This has since
effected my 'admin' account in
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot.  I
discovered this was happening when I was no longer to login to the
IDM/admin console.

Unfortunately, the IDM gave a very obtuse error about not being able to
find an object.  I discovered the real problem when I tried an
ldapsearch with the admin uid, and it then returned password expired.
This is a side issue, not part of the core problem.

I used ldapmodify with "cn=directory  manager" and changed the password
hash.  I can then login with IDM again.  I then go (in IDM) to the admin
account and I change passwordexpirationtime to be 2040........Z (i.e.
some time in the distant future).  I save this change; restart the
directory server and the account is expired again.  If I go through the
same reset process and pull up the value, it has not committed the
passwordexpirationtime attribute, it is back to the original
setting(!?)  To be even more confusing, if I do an ldapsearch on the
uid=admin account, it doesn't even show the passwordexpirationtime
attribute (and thus cannot be updated).  I can only see/change this via IDM.

Can anybody explain this behavior? Is there a better way to exclude the
admin account from the password policies of the server? Can somebody
explain why I can see some attributes on uid=admin that cannot be seen
with ldapsearch?

Versions:

389-ds-console-1.2.0-5
389-admin-1.1.9-1
389-admin-console-1.1.4-2
389-console-1.1.3-5
389-ds-base-1.2.3-1
389-admin-console-doc-1.1.4-2
389-adminutil-1.1.8-4
389-ds-console-doc-1.2.0-5
389-dsgw-1.1.4-1
389-ds-1.1.3-5
RHEL 5.5

Any help/insight into this matter would be greatly appreciated.

-B.G.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux