Kiran Ayyagari <kayyagari@...> writes: > > On Wed, Jan 21, 2015 at 8:26 AM, David Paulsen <dave.paulsen@...> > wrote: > > > > > Thanks, Kiran. I was using the admin account to change the password. > > > > But, when I attempted to use the user account for which I'm changing > > the > > > > password (instead of the admin account), I get an > > > > INSUFFICIENT_ACCESS_RIGHTS error: > > > > > > > > LDAPException: Insufficient Access Rights (50) Insufficient Access > > > > Rights > > > > > > > are there any ACIs affecting the below mentioned entry? > > > > > > > LDAPException: Server Message: INSUFFICIENT_ACCESS_RIGHTS: failed > > for > > > > MessageType : MODIFY_REQUEST > > > > Message ID : 111 > > > > Modify Request > > > > Object : > > 'uid=jguinn,ou=8300,ou=DVHead,dc=kewilltransport,dc=com > > > > ' > > > > Modification[0] > > > > Operation : replace > > > > Modification > > > > userPassword: 0x48 0x69 0x54 0x68 0x65 0x72 0x65 0x32 > > > > org.apache.directory.api.ldap.model.message.ModifyRequestImpl <at> > > 8ede0d34: > > > > null > > > > LDAPException: Matched DN: > > > > > > > > > > > > > > > > > > > > > Not that I know of. I did not specifically configure any ACIs for > > uid=jguinn,ou=8300,ou=DVHead,dc=kewilltransport,dc=com. Is there a way I > > can check for that? I would think that by default a user logged in to > > > see if the parent/root entry has any ACI applied > > > LDAP as themselves would be able to change their password, correct? > > > > yes > Hi Kiran, it's working now. What happened is that in my password policy, I had changed ads-pwdallowuserchange=TRUE, but I hadn't restarted the LDAP server, and apparently password policy changes don't take effect until the server is restarted.
Once I restarted, I could change the password when connected as the user I'm changing the password for. And, if I attempt to change the password before the pwdMinAge expires, I get a code = 19 "password is too young to update" error as expected. All good. Is there any way around requiring a restart of the server to have password policy settings take effect? This would be a major issue for us because we create/change password policy configurations often (we maintain password policies per customer). Thank you for your help!
