-1

I have a password policy issue that I need help with. The password policy I am using is the following: 

objectClass: top
objectClass: device
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdLockoutDuration: 1800
pwdMaxFailure: 5
pwdLockout: TRUE
pwdFailureCountInterval: 900
structuralObjectClass: device
pwdMinAge: 86400
pwdMaxAge: 7776000
pwdAllowUserChange: TRUE
pwdInHistory: 3

Here is what I have working:

  • Accounts are locked for 30 mins after 5 failed authentications within 15 mins.
  • Prohibiting password changes where a user provides a new password that is listed in their password history, only works using ldappasswd binding as said user, using ldapmodify while binding as said user does not work.
  • Unlocking an account locked due to failed authentications by manually removing the pwdAccountLockedTime.

This does not work:

  • Unlocking an account that was locked due to expired password while still enforcing password history.

I try using ldappasswd to change the user's password, binding as the locked user using current password, give it a new password that is not in it's password history, and the operation fails saying expired password. Can anyone help me with this?

OhaiMac
  • 1
  • 3

1 Answers1

0

I confirm it has to work if you proceed as you wrote.

Password change from a user with expired password works with ldappasswd.

Please invoke ldappasswdwith the -E ppolicy switch (unless you already did) to have more debug.

473183469
  • 1,360
  • 1
  • 12
  • 23
  • Unfortunately it is not working. However, someone pointed out that I may need to add the `pwdGraceAuthNLimit` property to my password policy with a non-zero value. When I added that, this let me: 1. Enforce password history. 2. Bind as that user successfully. 3. Change the user's password. – OhaiMac Feb 08 '17 at 18:45