directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hal Deadman <hal.dead...@gmail.com>
Subject Re: uid=admin,ou=system password expired
Date Sat, 07 May 2016 00:00:24 GMT
I was able to recreate the issue with a test instance.

I created a fresh instance of M21 directory using M10 studio. I set
password expiration on password policy to some number, turned off grace
logins, and changed the password of the admin user. I reconnected with the
new password, and set the pwdChangedTime of admin user to a date in in the
past (far enough to cause expiration) and then tried to reconnect,  got
"Bind failed: password expired".

On Thu, May 5, 2016 at 12:44 PM, Hal Deadman <hal.deadman@gmail.com> wrote:

> Although my server is running M21, the config might have come from a
> slightly older release so if the changes to make the policy not apply to
> admin require some additional configuration item then maybe I am missing
> that.
>
> I suppose creating a fresh instance on M21 and then back-dating the
> pwdChangedTime of the admin user and applying a policy with expiration
> would confirm whether this is an issue or not. I will let you know when I
> test it.
>
> On Tue, May 3, 2016 at 7:00 PM, Hal Deadman <hal.deadman@gmail.com> wrote:
>
>> I am using M21 and it doesn't appear to be bypassing the policy, at least
>> when it comes to  password expiration.
>>
>> The admin password had expired on both servers but I was able to login to
>> the backup server b/c grace logins were allowed. It did record a grace
>> login on the admin user when I logged in. I reset the password to the same
>> value it was before and it didn't enforce history.
>>
>> I can't confirm b/c I can't login but I think the policy on the server
>> where I can't login is as follows:
>>
>> dn:
>> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
>>  eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>> entryCSN: 20160325163415.003000Z#000000#000#000000
>> ads-pwdLockoutDuration: 2592000
>> ads-pwdAttribute: userPassword
>> ads-pwdId: default
>> ads-pwdLockout: TRUE
>> ads-pwdFailureCountInterval: 86400
>> ads-pwdMaxAge: 3888000
>> ads-pwdMaxFailure: 3
>> ads-pwdCheckQuality: 1
>> ads-enabled: TRUE
>> entryUUID: 5f79a974-e791-4beb-803f-42e169b5dfb7
>> ads-pwdInHistory: 24
>> ads-pwdValidator:
>> org.apache.directory.server.core.api.authn.ppolicy.DefaultPass
>>  wordValidator
>> ads-pwdMinLength: 5
>> ads-pwdGraceAuthNLimit: 5
>> objectClass: ads-passwordPolicy
>> objectClass: top
>> objectClass: ads-base
>> entryParentId: a4bb3a90-be7a-45ce-acb8-43ce7571df75
>>
>> The error when I attempt to login as uid=admin,ou=system is as follows:
>>
>> Error while opening connection
>>  - [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: password
>> expired and max grace logins were used]
>> java.lang.Exception: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind
>> failed: password expired and max grace logins were used]
>>
>> Thanks.
>>
>> On Tue, May 3, 2016 at 3:15 PM, Emmanuel Lécharny <elecharny@gmail.com>
>> wrote:
>>
>>> Le 03/05/16 18:50, Hal Deadman a écrit :
>>> > I have a replicated directory in my dev lab where the admin  user has
>>> an
>>> > expired password on one of the two servers. Since I can't login as
>>> admin,
>>> > how might I go about resetting the password on that user short of
>>> > re-creating the instance?
>>>
>>> the uid=admin,ou=system user bypasses the passwordPolicy (at least in
>>> the latest version). That shpuld allow you to change the password.
>>>
>>> What version are you using ?
>>>
>>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message