From an old post I found I could enable self-write access to the shadowLastChange attribute by going into the directory, selecting root domain, select set access permissions, select enable self write for common attributes, and edit “self” manually. Add shadowLastChange and userPassword in the list and saved. Worked great. This was a account imported from an older openldap server. Is this the correct fix for this or have I misconfigured something and should fix it correctly.
Thanks
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of David Hoskinson
Sent: Thursday, September 29, 2011 7:33 AM
To: General discussion list for the 389 Directory server project.
Subject: [389-users] Password expiration policy problem
I have configured our directory server to have a global password policy in the directory server, under Data-> Passwords. The policy we have elected to use the password expires in 45 days. For the last 15 days it has been warning me to change it. I have on several occasions changed it by typing password in a terminal window and changing it. This has been successful and new password is active. However the next time I login the count down has not been reset. I was wondering what would happen when it got to 0 so I let that happen today. As expected it prompted me to change my password and reset it. However when I log back in I am still at 0 and hence cannot login to the machine. I looked at the passwordexpirationtime on my account and it reads 20111113112125Z as I believe it should since it was reset today. Still can’t login, and account says I am at 0 days…
Thanks for any help…
David Hoskinson | DATATRAK International
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskinson@datatrak.net | www.datatrak.net