2014-06-03 17:13 GMT+02:00 Gonzalez, Aliep <[email protected]>: > > > Apologies if I am asking a dumb question or if this is something that has > already been answered before. > > I am trying to deploy LTB 0.8 to change user's passwords against Oracle > Directory Server 11g. My password policy requires that users must change > their passwords after a reset. As a result of that, if I try to change a > user password through sending password reset link, the password operation > succeeds, but since the user's "passwordExpirationTime" field is set to > "19700101000000Z", I am forced to set a new password again to be able to > bind to the directory. > > Here is what I get when the password has been reset using the reset link: > > [02/Jun/2014:14:50:10 -0400] conn=127217 op=-1 msgId=-1 - fd=41 slot=41 > LDAP connection from 127.0.0.1:34025 to 127.0.0.1 > [02/Jun/2014:14:50:10 -0400] conn=127217 op=0 msgId=1 - BIND > dn="uid=qsfshmx,ou=people,dc=fg,dc=rbccm,dc=com" method=128 version=3 > [02/Jun/2014:14:50:10 -0400] conn=127217 op=0 msgId=1 - RESULT err=0 > tag=97 nentries=0 etime=0 dn="uid=qsfshmx,ou=people,dc=fg,dc=rbccm,dc=com" > [02/Jun/2014:14:50:10 -0400] conn=127217 op=1 msgId=2 - SRCH > base="ou=people,dc=fg,dc=rbccm,dc=com" scope=0 filter="(objectClass=*)" > attrs=ALL > [02/Jun/2014:14:50:10 -0400] conn=127217 op=1 msgId=2 - RESULT err=53 > tag=101 nentries=0 etime=0, Password was reset and must be changed. > [02/Jun/2014:14:50:10 -0400] conn=127217 op=2 msgId=3 - UNBIND > [02/Jun/2014:14:50:10 -0400] conn=127217 op=2 msgId=-1 - closing from > 127.0.0.1:34025 - U1 - Connection closed by unbind client - > [02/Jun/2014:14:50:10 -0400] conn=127217 op=-1 msgId=-1 - closed. > > Here is the way my password policy looks: > > dn: cn=Password Policy,cn=config > objectClass: top > objectClass: ldapsubentry > objectClass: pwdPolicy > objectClass: sunPwdPolicy > objectClass: passwordPolicy > cn: Password Policy > pwdAttribute: userPassword > passwordStorageScheme: SSHA > passwordChange: on > pwdAllowUserChange: TRUE > pwdSafeModify: FALSE > passwordRootdnMayBypassModsChecks: off > passwordNonRootMayResetUserpwd: on > passwordInHistory: 13 > pwdInHistory: 13 > passwordMinAge: 604800 > pwdMinAge: 604800 > passwordCheckSyntax: on > pwdCheckQuality: 2 > passwordMinLength: 6 > pwdMinLength: 6 > passwordMustChange: on > pwdMustChange: TRUE > passwordExp: on > passwordMaxAge: 8640000 > pwdMaxAge: 8640000 > passwordWarning: 1209600 > pwdExpireWarning: 1209600 > passwordExpireWithoutWarning: off > pwdGraceAuthNLimit: 0 > pwdKeepLastAuthTime: FALSE > passwordLockout: on > pwdLockout: TRUE > passwordMaxFailure: 5 > pwdMaxFailure: 5 > passwordResetFailureCount: 60 > pwdFailureCountInterval: 60 > pwdIsLockoutPrioritized: TRUE > passwordUnlock: on > passwordLockoutDuration: 60 > pwdLockoutDuration: 60 > > Is there any way to make LTB work with my password policy? > >
Not without a patch. Oracle directory sees that password modification do not come from the user itself, and so force the user to change the password. You can try to patch Self Service Password so it modifies other attributes like passwordExpirationTime to prevent this behavior. Clément.
_______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
