On Mon, 2017-06-26 at 17:16 +0000, Mitch Patenaude wrote:
I'm trying to migrate my organization of FDS, but policy requires
a 90 day password expiration, and pam_ldap modules aren't forcing password changes
even after the password expired.
I saw in a thread back from 2011 that somebody was having an issue where setting
passwordExpirationTime to 19700101000000Z would force a change, but 19700101000001Z
wouldn't. Well... even setting to 19700101000000Z doesn't work for me.
intdns1-01-lv:~ mpatenaude$ luser mitchtest2
dn: uid=mitchtest2,ou=People,dc=prod,dc=shutterfly,dc=com
passwordExpirationTime: 19700101000000Z
loginShell: /bin/bash
uid: mitchtest2
cn: Mitch Test2
givenName: Mitch
sn: Test2
mail: mitchtest2(a)shutterfly.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: ldapPublicKey
uidNumber: 5134
gidNumber: 5134
homeDirectory: /home/mitchtest2
gecos: Mitch Test2
But it lets that account log in without prompting for a password change.
Any ideas?
It's probably worth reading
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10...
I would check that the date-format is correct (enough digits). Check the
number of grace logins you have as well. Finally, to help us diagnose
this, it would be good to see the password policy related attributes
from cn=config,
Thanks,
--
Sincerely,
William Brown
Software Engineer
Red Hat, Australia/Brisbane