[389-users] admin account expires, expire time refuses to update
Gerrard Geldenhuis
Gerrard.Geldenhuis at betfair.com
Tue Aug 10 08:45:41 UTC 2010
Hi Brandon,
It seems to me that the password policy is being applied to your Directory Manager user. I recall that you can disable password policy for cn=config users but can't find that in the documentation now. It is also worth while reading the second paragraph of 7.1.1.5 in the Admin guide which refers to a bug regarding password policy. That might not be true any more so read it with a pinch of salt.
Regards
________________________________________
From: 389-users-bounces at lists.fedoraproject.org [389-users-bounces at lists.fedoraproject.org] on behalf of Brandon G [bjg at solv.com]
Sent: 09 August 2010 18:30
To: 389-users at lists.fedoraproject.org
Subject: [389-users] admin account expires, expire time refuses to update
I am in a curious situation (and by curious I mean frustratingly
annoying). I have enabled strong password policies, including
expirations, across my tree (policy of the site). This has since
effected my 'admin' account in
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot. I
discovered this was happening when I was no longer to login to the
IDM/admin console.
Unfortunately, the IDM gave a very obtuse error about not being able to
find an object. I discovered the real problem when I tried an
ldapsearch with the admin uid, and it then returned password expired.
This is a side issue, not part of the core problem.
I used ldapmodify with "cn=directory manager" and changed the password
hash. I can then login with IDM again. I then go (in IDM) to the admin
account and I change passwordexpirationtime to be 2040........Z (i.e.
some time in the distant future). I save this change; restart the
directory server and the account is expired again. If I go through the
same reset process and pull up the value, it has not committed the
passwordexpirationtime attribute, it is back to the original
setting(!?) To be even more confusing, if I do an ldapsearch on the
uid=admin account, it doesn't even show the passwordexpirationtime
attribute (and thus cannot be updated). I can only see/change this via IDM.
Can anybody explain this behavior? Is there a better way to exclude the
admin account from the password policies of the server? Can somebody
explain why I can see some attributes on uid=admin that cannot be seen
with ldapsearch?
Versions:
389-ds-console-1.2.0-5
389-admin-1.1.9-1
389-admin-console-1.1.4-2
389-console-1.1.3-5
389-ds-base-1.2.3-1
389-admin-console-doc-1.1.4-2
389-adminutil-1.1.8-4
389-ds-console-doc-1.2.0-5
389-dsgw-1.1.4-1
389-ds-1.1.3-5
RHEL 5.5
Any help/insight into this matter would be greatly appreciated.
-B.G.
--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
More information about the 389-users
mailing list