We are seeing some odd behaviour with 389 compared to what the diagram below suggests (from RHDS Documentation)
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Deployment_Guide/images/pwdpolicy.png
We have a user with an expired password with no grace logons, that user is unable to change their own password. On bind they receive "Invalid Credentials 49 Additinoal Info: password expired!" which is the same we see when manually trying to change the password (using their account to bind) using ldappasswd as well.
According to the flow diagram we should be expecting 389 to basically force change the password, which incidentally works fine when the passwordexpirytime attribute is set to epoch but not when it is any other value.
My question is basically how should we expect this to work? and how should a user with an expired password be able to change their password without admin assistance.
Thanks
James
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
No comments:
Post a Comment