On Tue, 2017-07-11 at 15:53 -0700, Darren Struthers wrote: > I have inherited an instance of 389 Directory Server running version > 1.2.10.2. I have observed some inconsistency in the server's behavior when > I apply a user-level password policy to an account which has not previously > had one (either directly via a user-level policy or indirectly via a > subtree-level policy). I have applied a basic policy with a 7-day password > expiration and 7-day warning period on several accounts. When I did this, > some accounts seemed to start the 7-day clock upon a subsequent login, > while others seemed to have no observable effect (i.e. the account state > warning for a near expiration is not returned after authentication). > > Does anyone know what factors could result in this inconsistency in this > version? The behavior seems to diverge along account age lines, with older > accounts seeming to behave differently than the newer accounts, leading me > to wonder if someone previously applied and removed password policies at > either the user- or subtree-level in the past, and if so, whether that > could potentially lead to the inconsistency I'm observing.
How are they logging in? Via a unix machine? perhaps something that is reading shadow instead? > > A secondary question: does anyone know if it is possible to see the state > of the expiration timer for accounts in this version? If I recall correctly, I think the timers are relative to fixed points in time, so look at the admin guide here, it might help you? https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/account-policy-plugin > > Any information or advice anyone has is appreciated. I can provide more > information about the server in question if necessary. > > Thanks, > Darren > > > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org -- Sincerely, William Brown Software Engineer Red Hat, Australia/Brisbane
signature.asc
Description: This is a digitally signed message part
_______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
