I am having difficulty to make managing user password policy working. I want to use local per-user based password policy. Here is the configuration I use:
containter configuration -
dn: cn=nsPwPolicyContainer,ou=people,dc=christianbook,dc=com
objectClass: top
objectClass: nsContainer
cn: nsPwPolicyContainer
entry configuration -
dn: cn=userPasswordPolicy,cn=nsPwPolicyContainer,ou=people,dc=christianbook,dc=com
cn: userPasswordPolicy
objectclass: top
objectclass: extensibleObject
objectclass: ldapsubentry
objectclass: passwordpolicy
passwordGraceLimit: 3
passwordMustChange: on
passwordChange: on
passwordExp: on
passwordMaxAge: 2
passwordHistory: on
passwordCheckSyntax: on
nsslapd-pwpolicy-local -
dn: cn=config
changetype: modify
replace: nsslapd-pwpolicy-local
nsslapd-pwpolicy-local: on
per-user password policy configuration -
dn: uid=xinhuan,ou=people,dc=christianbook,dc=com
changetype: modify
add: pwdpolicysubentry
pwdpolicysubentry: cn=userPasswordPolicy,cn=nsPwPolicyContainer,ou=people,dc=christianbook,dc=com
However, when I did my userpassword reset using ldapmodify command, I am able to login from the remote client that authenticates with my 389 directory server, without prompting to change my password the first time I login, which is against the 'passwordMustChange' policy.
The second thing is that I tried to expire my password so I can test 'passwordExp'. However, when I did 'passwd -e xinhuan' on LDAP client, I got error:
Expiring password for user xinhuan.
passwd: Error
What's going on?
Thanks,
- xinhuan
--
389-users mailing list
389-users@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
No comments:
Post a Comment