OpenLDAP Version: 2.3.5
PPolicy Overlay Version: 1.62
Problem:
PPolicy module determines user password is expired
before pwdMaxAge time has elapsed.
Here's the Password Policy enabled by default for
user's test directory
POLICY OBJECT:
name <policy>
pwdCheckQuality=2
pwdMaxAge=8640000
pwdMinAge=0
pwdMinLength=5
pwdFailureCountInterval=120
pwdMaxFailure=3
pwdMustChange=TRUE
pwdSafeModify=FALSE
pwdInHistory=5
pwdGraceAuthNLimit=5
pwdLockoutDuration=120
pwdAllowUserChange=TRUE
pwdExpireWarning=8640000
pwdLockout=TRUE
Here's the operational attributes assigned to test
user:
USER OPERATIONAL ATTRIBUTES:
name <394359285170458054>
createTimestamp <20051003171523Z>
modifyTimestamp <20051003171523Z>
creatorsName <cn=Manager,dc=fnfis,dc=com>
modifiersName <cn=Manager,dc=fnfis,dc=com>
subschemaSubentry <cn=Subschema>
pwdPolicySubentry <null>
pwdChangedTime <null>
pwdAccountLockedTime <null>
pwdExpirationWarned <null>
pwdFailureTime <null>
pwdGraceUseTime <20051003210223Z>
pwdReset <null>
The following listing is from slapd log:
** start log trace **
ppolicy_bind: Entry
cn=394359285170458054,ou=People,dc=fnfis,dc=com does
not have valid pwdChangedTime attribute - assuming
password expired
ppolicy_bind: Entry
cn=394359285170458054,ou=People,dc=fnfis,dc=com has an
expired password: 3 grace logins
** end of log trace **
Observation:
PPolicy module doesn't like a null pwdChangedTime
attribute.
Any ideas on what the corrective action might be?
Thanks and regards,
Shawn McKinney
