Wednesday, March 16, 2022

[389-users] Re: passwordExpirationTime vs password admin

Hi Mike,

I'm not sure I understand the issue.  If a userpassword is changed, and
password expiration is tuned on, then the attribute is always updated. 
It doesn't matter who makes the password change.  A "password
Administrator" is just allowed to bypass syntax checks - that's it.

Anyway this all works for me.  Here I show the audit log as I make
changes and I see passwordExpirationtime being updated:

dn: cn=mark,ou=people,dc=example,dc=com
result: 0
changetype: add
objectClass: top
objectClass: nsPerson
objectClass: nsAccount
objectClass: nsOrgPerson
cn: mark
displayName: mark
passwordExpirationTime: 20220624152751Z
userPassword:: ...
modifiersName: cn=directory manager

Then I change this user's password with a regualr database user
(cn=delegated admin...)  that has access rights to change passwords:


dn: cn=mark,ou=people,dc=example,dc=com
result: 0
changetype: modify
replace: userPassword
userPassword:: ...
-
replace: modifiersname
modifiersname: cn=delegated admin,ou=people,dc=example,dc=com
-
replace: modifytimestamp
modifytimestamp: 20220316153143Z
-

time: 20220316113143
dn: cn=mark,ou=people,dc=example,dc=com
result: 0
changetype: modify
replace: passwordgraceusertime
passwordgraceusertime: 0
-
replace: passwordExpirationTime
passwordExpirationTime: 20220624153143Z
-
replace: passwordExpWarned
passwordExpWarned: 0


I also tried this same test with "cn=delegated admin" set as a password
admin, and it still works correctly.

Am I misunderstanding your issue?

Mark

On 3/16/22 11:01 AM, Mike Wohlgemuth wrote:
> Hi!
>
> We are running Red Hat Enterprise Linux release 8.3 with 389-ds-base-1.4.3.16-19.module+el8.4.0+11894+f5bb5c43.x86_64 installed. We have configured password expiration, and passwordExpirationTime is getting updated properly when the end user binds and changes the password, or when cn=directory manager changes the password. We have an API that is invoked to allow the users to change their password when they have forgotten it, so it cannot bind as the end user, but we also do not want it to have to bind as cn=directory manager. However, we haven't had any luck getting any other user to update passwordExpirationTime when updating the password. Looking at the code, it looks like password admins should be allowed to update passwordExpirationTime, but we have those configured and it's not working. Is there something we are missing?
>
> Thanks!
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment