directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Password Policy attribute pwdMinAge not working?
Date Wed, 21 Jan 2015 20:11:47 GMT
On Wed, Jan 21, 2015 at 11:41 PM, David Paulsen <dave.paulsen@kewill.com>
wrote:

> Kiran Ayyagari <kayyagari@...> writes:
>
> >
> > On Wed, Jan 21, 2015 at 8:26 AM, David Paulsen <dave.paulsen@...>
> > wrote:
> >
> > > > > Thanks, Kiran. I was using the admin account to change the
> password.
> > > > > But, when I attempted to use the user account for which I'm
> changing
> > > the
> > > > > password (instead of the admin account), I get an
> > > > > INSUFFICIENT_ACCESS_RIGHTS error:
> > > > >
> > > > > LDAPException: Insufficient Access Rights (50) Insufficient
> Access
> > > > > Rights
> > > > >
> > > > are there any ACIs affecting the below mentioned entry?
> > > >
> > > > > LDAPException: Server Message: INSUFFICIENT_ACCESS_RIGHTS:
> failed
> > > for
> > > > > MessageType : MODIFY_REQUEST
> > > > > Message ID : 111
> > > > >     Modify Request
> > > > >         Object :
> > > 'uid=jguinn,ou=8300,ou=DVHead,dc=kewilltransport,dc=com
> > > > > '
> > > > >             Modification[0]
> > > > >                 Operation :  replace
> > > > >                 Modification
> > > > > userPassword: 0x48 0x69 0x54 0x68 0x65 0x72 0x65 0x32
> > > > > org.apache.directory.api.ldap.model.message.ModifyRequestImpl
> <at>
> > > 8ede0d34:
> > > > > null
> > > > > LDAPException: Matched DN:
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > Not that I know of. I did not specifically configure any ACIs for
> > > uid=jguinn,ou=8300,ou=DVHead,dc=kewilltransport,dc=com. Is there a
> way I
> > > can check for that? I would think that by default a user logged in
> to
> > >
> > see if the parent/root entry has any ACI applied
> >
> > > LDAP as themselves would be able to change their password, correct?
> > >
> > >  yes
> >
> Hi Kiran, it's working now. What happened is that in my password policy,
> I had changed ads-pwdallowuserchange=TRUE, but I hadn't restarted the
> LDAP server, and apparently password policy changes don't take effect
> until the server is restarted.
>
ah!

>
> Once I restarted, I could change the password when connected as the user
> I'm changing the password for. And, if I attempt to change the password
> before the pwdMinAge expires, I get a code = 19 "password is too young
> to update" error as expected. All good.
>
> Is there any way around requiring a restart of the server to have
> password policy settings take effect? This would be a major issue for us
>
not yet, I have been sitting on this idea for far too long, but the effort
stopped
midway

> because we create/change password policy configurations often (we
> maintain password policies per customer).
>
>
Thank you for your help!
>
>
>
>


-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message