Re: [Lam-public] windows password expiration job

Sun, 19 Sep 2021 08:19:38 -0700 

On Sun, 2021-09-19 at 13:27 +0200, mj wrote:
> Hi Roland,
> 
> Sorry, forgot to answer this question:
> 
> Op 18-09-2021 om 19:17 schreef Roland Gruber:
> > I think I found the issue. LAM uses cn=builtin,dc=company,dc=com
> > for the 
> > policy. Seems like this one has a different max age. You should see
> > a 
> > log message "Using maxPwdAge = ..." at the beginning of the log.
> 
> No, there is no mention of "maxPwdAge" anywhere in the generated log.
> 
> MJ
> 

OK, I downloaded the latest LAM and searched for 'maxPwdAge' in its
code and found:

ldap-account-manager-7.7.RC1/lib/modules/windowsUser.inc

/**
* Returns a list of password policy options. The options are later
passed to function checkSingleUser().
* This reads the password policy to calculate expiration times later.
Maxpwdage is the maximum amount of
* time, in 100-nanosecond intervals, a password is valid.
*
* @return array options ('maxpwdage' => max age in ns)
*/
protected function getPolicyOptions() {
        $typeManager = new TypeManager();
        $maxPwdAge = array();
        foreach ($typeManager->getConfiguredTypesForScope('user') as
$type) {
                $userSuffix = $type->getSuffix();
                if (empty($userSuffix)) {
                        logNewMessage(LOG_ERR, 'No user suffix set in
server profile for ' . $type->getAlias() . '.');
                        continue;
                }
                // extract base DN from user suffix
                $domainRoot = strtolower(substr($userSuffix,
stripos($userSuffix, 'dc=')));
                if (empty($domainRoot)) {
                        logNewMessage(LOG_ERR, "No domain root found in
$userSuffix.");
                        continue;
                }
                logNewMessage(LOG_DEBUG, "Using $domainRoot as domain
root");
                $policyDN = 'cn=builtin,' . $domainRoot;
                $policyAttrs = ldapGetDN($policyDN,
array('maxPwdAge'));
                if (empty($policyAttrs['maxpwdage'][0])) {
                        logNewMessage(LOG_ERR, 'No maxPwdAge found for
this domain in ' . $type->getAlias() . '.');
                        continue;
                }
                $maxPwdAge[$domainRoot] = $policyAttrs['maxpwdage'][0];
                logNewMessage(LOG_DEBUG, "Using maxPwdAge = " .
$maxPwdAge[$domainRoot] . ".");
                }
        return array('maxpwdage' => $maxPwdAge);
}

Yes, there are password settings in CN=Builtin:

lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -37108517437440
minPwdAge: 0
minPwdLength: 0
pwdProperties: 0
pwdHistoryLength: 0

But 'Builtin' is actually a separate domain and the results from the
rootDSE should be used instead:

lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 3
maxPwdAge: -36288000000000
minPwdAge: 0
minPwdLength: 7
pwdProperties: 1
pwdHistoryLength: 24

Rowland




_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public

Reply via email to