Hi I have been unable to reliably recreate this issue. I can however with 95% certainty say that it revolves around the setting "User must change password after Reset"
There is a specific sequence in applying this and the password policy that will break the ability on a client to change his/her password.
I am continuing to test but are secretely hoping someone else has run into a similar problem. Googling the error has suggested a miconfigured pam. I do not believe that PAM is at fault here as I have been using the same client without config changes and the behaviour is different depending on how the auth server was configured.
Regards
________________________________________ From: 389-users-bounces@lists.fedoraproject.org [389-users-bounces@lists.fedoraproject.org] on behalf of Gerrard Geldenhuis [Gerrard.Geldenhuis@betfair.com] Sent: 27 September 2010 17:26 To: 389-users@lists.fedoraproject.org Subject: [389-users] Not allowed to change password once it has expired
Hi I am in the midsts of debugging this but am hoping anyone can shed some light on the issue or point me in the right direction.
A certain combination of changes to the global password policy seems to break the abbility to change a user's password.
user1@client01.example's password: You are required to change your LDAP password immediately. Last login: Mon Sep 27 16:06:18 2010 from 10.5.11.115 Connection to client01.example closed.
When it works it looks like: ssh client01 -l user1 user1@client01's password: You are required to change your LDAP password immediately. Creating directory '/home/user1'. WARNING: Your password has expired. You must change your password now and login again! Changing password for user user1 Enter login(LDAP) password: Connection to client01 closed.
Settings that we have toggled in the global password policy is: Enable fine-grained password policy User must change password after reset Allow changes in x days
We don't change anything on the client so I am 99% sure its not a a pam misconfiguration.
Best Regards
________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________