>>> Michael Ströder <[email protected]> schrieb am 06.11.2014 um 09:16 in Nachricht <[email protected]>: > Which OpenLDAP version? > > You can search for the message in source file > servers/slapd/overlays/ppolicy.c > > Reading the comment setting warn = 0 should not happen. > > Does uid=testuser,ou=domain,dc=org really have a correct 'pwdChanged' > attribute value?
Hi! You are on the right track: None of our users has a 'pwdChanged' attribute! Which is also not surprising, because I could not find that attribute in the objectclasses being used: objectClass: top objectClass: posixAccount objectClass: inetOrgPerson objectClass: shadowAccount However I see these attributes being modified since ppolicy is active: pwdChangedTime pwdFailureTime pwdGraceUseTime pwdHistory Could it be you meant "pwdChangedTime" instead? If so, could the problem be that that attribute is created only after ppolicy is active _and_ the user actually changed the password? If so, an heuristic would be to assume the password is not older than createTimestamp if pwdChangedTime is missing. Regards, Ulrich > > Ciao, Michael. > > Ulrich Windl wrote: >> Hi! >> >> Can someone explain what this message is actually saying: >> slapd[3990]: ppolicy_bind: Setting warning for password expiry for > uid=testuser,ou=domain,dc=org = 0 seconds >> >> Does this mean a user who mistyped his password before logged in > successfully now? >> >> I saw no change to the LDAP database after this message, so what is changed, > and where is it cahnged? Also those "0 seconds" don't match my password > policy, which looks like this (still testing): >> >> -- >> objectClass: namedObject >> objectClass: pwdPolicy >> cn: PP-Default >> pwdAttribute: userPassword >> pwdMinAge: 30 >> pwdMaxAge: 86400000 >> pwdInHistory: 3 >> pwdCheckQuality: 1 >> pwdMinLength: 8 >> pwdExpireWarning: 604800 >> pwdGraceAuthNLimit: 5 >> pwdLockout: TRUE >> pwdLockoutDuration: 1800 >> pwdMaxFailure: 10 >> pwdFailureCountInterval: 1209600 >> pwdMustChange: TRUE >> pwdAllowUserChange: TRUE >> pwdSafeModify: FALSE >> -- >> >> I'm running SLES11 SP3... >> >> Regards, >> Ulrich
