Hi Mike,
I'm not sure I understand the issue. If a userpassword is changed, and
password expiration is tuned on, then the attribute is always updated.
It doesn't matter who makes the password change. A "password
Administrator" is just allowed to bypass syntax checks - that's it.
Anyway this all works for me. Here I show the audit log as I make
changes and I see passwordExpirationtime being updated:
dn: cn=mark,ou=people,dc=example,dc=com
result: 0
changetype: add
objectClass: top
objectClass: nsPerson
objectClass: nsAccount
objectClass: nsOrgPerson
cn: mark
displayName: mark
passwordExpirationTime: 20220624152751Z
userPassword:: ...
modifiersName: cn=directory manager
Then I change this user's password with a regualr database user
(cn=delegated admin...) that has access rights to change passwords:
dn: cn=mark,ou=people,dc=example,dc=com
result: 0
changetype: modify
replace: userPassword
userPassword:: ...
-
replace: modifiersname
modifiersname: cn=delegated admin,ou=people,dc=example,dc=com
-
replace: modifytimestamp
modifytimestamp: 20220316153143Z
-
time: 20220316113143
dn: cn=mark,ou=people,dc=example,dc=com
result: 0
changetype: modify
replace: passwordgraceusertime
passwordgraceusertime: 0
-
replace: passwordExpirationTime
passwordExpirationTime: 20220624153143Z
-
replace: passwordExpWarned
passwordExpWarned: 0
I also tried this same test with "cn=delegated admin" set as a password
admin, and it still works correctly.
Am I misunderstanding your issue?
Mark
On 3/16/22 11:01 AM, Mike Wohlgemuth wrote:
Hi!
We are running Red Hat Enterprise Linux release 8.3 with
389-ds-base-1.4.3.16-19.module+el8.4.0+11894+f5bb5c43.x86_64 installed. We have configured
password expiration, and passwordExpirationTime is getting updated properly when the end
user binds and changes the password, or when cn=directory manager changes the password. We
have an API that is invoked to allow the users to change their password when they have
forgotten it, so it cannot bind as the end user, but we also do not want it to have to
bind as cn=directory manager. However, we haven't had any luck getting any other user
to update passwordExpirationTime when updating the password. Looking at the code, it looks
like password admins should be allowed to update passwordExpirationTime, but we have those
configured and it's not working. Is there something we are missing?
Thanks!
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Directory Server Development Team