On 10/25/2016 11:10 AM, Mark Reynolds wrote:
On 10/25/2016 10:37 AM, Alberto Viana wrote:
> Hello,
>
> Version
> 389-Directory/1.3.4.11 <
http://1.3.4.11> B2016.182.1718
>
> I'm trying to implement password expiration policy with no sucess,
> I've changed my config:
>
> dn: cn=config
> changetype: modify
> replace: passwordExp
> passwordExp: on
> -
> replace: passwordMaxAge
> passwordMaxAge: 120
>
>
> But after that I'm still able to bind with my(or any) user in 389.
>
> Am I missing something? Also, what attribute 389 uses to control
> that? I could not see any attribute in my user related to that.
Additionally, make sure "passwordChange: on" is set in cn=config (so
users can change their passwords)
After setting this you must change the password in the entry (this
sets the passwordexpirationtime operational attribute in the entry).
I forgot to
mention that you MUST change the password as the user, not
"directory manager" or some admin account. Changing the password as
directory manager will not set the passwordexpirationtime operational
attribute in the entry (as Directory Manager bypasses password policy).
Then the expiration time will be enforced on future logins for
that
entry. These settings do not work retroactively.
Hope this helps,
Mark
>
> All changes were based on this doc:
>
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9....
>
> Thanks.
>
>
>
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org