I was able to recreate the issue with a test instance. I created a fresh instance of M21 directory using M10 studio. I set password expiration on password policy to some number, turned off grace logins, and changed the password of the admin user. I reconnected with the new password, and set the pwdChangedTime of admin user to a date in in the past (far enough to cause expiration) and then tried to reconnect, got "Bind failed: password expired".
On Thu, May 5, 2016 at 12:44 PM, Hal Deadman <hal.dead...@gmail.com> wrote: > Although my server is running M21, the config might have come from a > slightly older release so if the changes to make the policy not apply to > admin require some additional configuration item then maybe I am missing > that. > > I suppose creating a fresh instance on M21 and then back-dating the > pwdChangedTime of the admin user and applying a policy with expiration > would confirm whether this is an issue or not. I will let you know when I > test it. > > On Tue, May 3, 2016 at 7:00 PM, Hal Deadman <hal.dead...@gmail.com> wrote: > >> I am using M21 and it doesn't appear to be bypassing the policy, at least >> when it comes to password expiration. >> >> The admin password had expired on both servers but I was able to login to >> the backup server b/c grace logins were allowed. It did record a grace >> login on the admin user when I logged in. I reset the password to the same >> value it was before and it didn't enforce history. >> >> I can't confirm b/c I can't login but I think the policy on the server >> where I can't login is as follows: >> >> dn: >> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc >> eptor,ou=interceptors,ads-directoryServiceId=default,ou=config >> entryCSN: 20160325163415.003000Z#000000#000#000000 >> ads-pwdLockoutDuration: 2592000 >> ads-pwdAttribute: userPassword >> ads-pwdId: default >> ads-pwdLockout: TRUE >> ads-pwdFailureCountInterval: 86400 >> ads-pwdMaxAge: 3888000 >> ads-pwdMaxFailure: 3 >> ads-pwdCheckQuality: 1 >> ads-enabled: TRUE >> entryUUID: 5f79a974-e791-4beb-803f-42e169b5dfb7 >> ads-pwdInHistory: 24 >> ads-pwdValidator: >> org.apache.directory.server.core.api.authn.ppolicy.DefaultPass >> wordValidator >> ads-pwdMinLength: 5 >> ads-pwdGraceAuthNLimit: 5 >> objectClass: ads-passwordPolicy >> objectClass: top >> objectClass: ads-base >> entryParentId: a4bb3a90-be7a-45ce-acb8-43ce7571df75 >> >> The error when I attempt to login as uid=admin,ou=system is as follows: >> >> Error while opening connection >> - [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: password >> expired and max grace logins were used] >> java.lang.Exception: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind >> failed: password expired and max grace logins were used] >> >> Thanks. >> >> On Tue, May 3, 2016 at 3:15 PM, Emmanuel Lécharny <elecha...@gmail.com> >> wrote: >> >>> Le 03/05/16 18:50, Hal Deadman a écrit : >>> > I have a replicated directory in my dev lab where the admin user has >>> an >>> > expired password on one of the two servers. Since I can't login as >>> admin, >>> > how might I go about resetting the password on that user short of >>> > re-creating the instance? >>> >>> the uid=admin,ou=system user bypasses the passwordPolicy (at least in >>> the latest version). That shpuld allow you to change the password. >>> >>> What version are you using ? >>> >>> >> >