On Sun, 2021-09-19 at 13:27 +0200, mj wrote: > Hi Roland, > > Sorry, forgot to answer this question: > > Op 18-09-2021 om 19:17 schreef Roland Gruber: > > I think I found the issue. LAM uses cn=builtin,dc=company,dc=com > > for the > > policy. Seems like this one has a different max age. You should see > > a > > log message "Using maxPwdAge = ..." at the beginning of the log. > > No, there is no mention of "maxPwdAge" anywhere in the generated log. > > MJ >
OK, I downloaded the latest LAM and searched for 'maxPwdAge' in its code and found: ldap-account-manager-7.7.RC1/lib/modules/windowsUser.inc /** * Returns a list of password policy options. The options are later passed to function checkSingleUser(). * This reads the password policy to calculate expiration times later. Maxpwdage is the maximum amount of * time, in 100-nanosecond intervals, a password is valid. * * @return array options ('maxpwdage' => max age in ns) */ protected function getPolicyOptions() { $typeManager = new TypeManager(); $maxPwdAge = array(); foreach ($typeManager->getConfiguredTypesForScope('user') as $type) { $userSuffix = $type->getSuffix(); if (empty($userSuffix)) { logNewMessage(LOG_ERR, 'No user suffix set in server profile for ' . $type->getAlias() . '.'); continue; } // extract base DN from user suffix $domainRoot = strtolower(substr($userSuffix, stripos($userSuffix, 'dc='))); if (empty($domainRoot)) { logNewMessage(LOG_ERR, "No domain root found in $userSuffix."); continue; } logNewMessage(LOG_DEBUG, "Using $domainRoot as domain root"); $policyDN = 'cn=builtin,' . $domainRoot; $policyAttrs = ldapGetDN($policyDN, array('maxPwdAge')); if (empty($policyAttrs['maxpwdage'][0])) { logNewMessage(LOG_ERR, 'No maxPwdAge found for this domain in ' . $type->getAlias() . '.'); continue; } $maxPwdAge[$domainRoot] = $policyAttrs['maxpwdage'][0]; logNewMessage(LOG_DEBUG, "Using maxPwdAge = " . $maxPwdAge[$domainRoot] . "."); } return array('maxpwdage' => $maxPwdAge); } Yes, there are password settings in CN=Builtin: lockoutDuration: -18000000000 lockOutObservationWindow: -18000000000 lockoutThreshold: 0 maxPwdAge: -37108517437440 minPwdAge: 0 minPwdLength: 0 pwdProperties: 0 pwdHistoryLength: 0 But 'Builtin' is actually a separate domain and the results from the rootDSE should be used instead: lockoutDuration: -18000000000 lockOutObservationWindow: -18000000000 lockoutThreshold: 3 maxPwdAge: -36288000000000 minPwdAge: 0 minPwdLength: 7 pwdProperties: 1 pwdHistoryLength: 24 Rowland _______________________________________________ Lam-public mailing list Lam-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lam-public