I figured this out. I'm sharing in case someone else runs into this.
In the smbldap-useradd script there is a section that adds a default "crypt"
password even is you don't invoke the -P (password function) during creation.
This was preventing me setting a password on new accounts when the LDAP
password policy has a pwdMinAge value bigger than 0.
Can this be changed in future releases or is this intended?
# USER ACCOUNT
# add posix account first
my @objectclass = qw(top person organizationalPerson posixAccount);
my @attr = (
'objectclass' => \@objectclass,
'cn' => $userCN,
'sn' => $userSN,
'uid' => $userName,
'uidNumber' => $userUidNumber,
'gidNumber' => $userGidNumber,
'homeDirectory' => $userHomeDirectory,
'loginShell' => $config{userLoginShell},
'gecos' => $config{userGecos},
# 'userPassword' => "{crypt}x"
From: [email protected]
To: [email protected]
Subject: Unable to change the password for newly created accounts
Date: Wed, 22 Oct 2014 12:23:29 -0400
If the default password policy for OpenLDAP has a pwdMinAge value other than 0
(disable) I'm unable to set the initial password for a newly created account.
I receive the following error:
Failed to modify UNIX password: Password is too young to change at
/usr/share/perl5/vendor_perl/smbldap_tools.pm line 1494, <STDIN> line 2.
This has never been an issue in previous releases. This is a pressing issue as
we'd like to be able to set the pwdMinAge to 1 day (86400) to comply with
infosec.
OS: RHEL 6.x
smbldap-tools version: smbldap-tools-0.9.10-1.el6.noarch
OpenLDAP versions; openldap-2.4.39-8.el6.x86_64/
openldap-2.4.23-34.el6_5.1.x86_64
SAMBA versions: samba-3.6.23-12.el6.x86_64/samba-3.6.9-169.el6_5.x86_64
Any help or patch would be greatly appreciated.
Regards,
-Mike
_______________________________________________
Smbldap-tools-tech mailing list
[email protected]
https://mail.gna.org/listinfo/smbldap-tools-tech
