Tony Earnshaw wrote: > My site uses ppolicy with great success. > > Ryan Steele skrev, on 08-04-2008 23:35: > >> I wanted to test the scenario where a user had forgotten his password, >> and needed to have it reset. I wanted to give this user the ability >> change this temporary password if they wanted. To do this, I: >> >> 1. Executed ldappasswd, binding as the rootdn, to change the user's >> password >> 2. Used ldapvi to reset the sambaPwdCanChange and sambaPwdLastSet >> attributes > > Fie. That's part of what 'overlay smbk5pwd' is for. Does it > automatically.
I'm using smbk5pwd, but I think you're missing the point here. Users can change their passwords just fine thanks to the overlay, but not if I reset the password, because then the sambaPwdCanChange, sambaPwdLastSet, and pwdChangedTime (or pwdMinAge) gets updated. The first two I can fix easily, the third is where I run in to trouble. > >> 3. Logged in to the domain as the user >> 4. Hit Ctrl+Alt+Delete and selected "Change Password" >> >> However, because my ppolicy pwdMinAge hadn't expired yet, the user was >> unable to change the password. So, it seems necessary to be able to >> change that value for the user so he/she can change their password. I >> couldn't find an attribute called pwdMinAge, but I'm assuming that's >> because it just looks at pwdChangedTime. > > The pwdMinAge attribute exists. Perhaps a GUI such as gq could help here. I shouldn't need a GUI to administer the directory, but nevertheless I installed phpldapadmin, and it doesn't see a pwdMinAge attribute in the user's entry. Neither slapcat nor ldapvi can find this attribute on the user either. > >> I 'assume' because I couldn't >> find explicit documentation stating this, though the man page definition >> for pwdChangedTime says "[pwdChangedTime] is used by the password >> expiration policy to determine whether the password is too old to be >> allowed to be used for user authentication." Is this why I see a >> NT_STATUS_WRONG_PASSWORD returned from LDAP when a user tries to change >> a password that is being protected by pwdMinAge? > > No, pwdMinAge has nothing to do with Samba, Samba doesn't use it - see > pdbedit -P. It _does_ affect being able to change your password when logged into a Samba controlled domain. Adding a pwdMinAge attribute to my password policy prevents the user from being able to change his/her password after it's been reset by an administrator. I'm familiar with pdbedit, but I fail to see how that will help me solve this problem. I'm happy to be convinced otherwise, though. > >> And, is executing an ldapmodify the proper thing to do in this situation >> to change the pwdChangedTime and allow the user to change his/her >> password? E.g.: >> >> ldapmodify -D "cn=admin,dc=example,dc=com" -W >> dn: uid=someuser,ou=Users,dc=example,dc=com >> changetype: modify >> replace: pwdChangedTime >> pwdChangedTime: 1207690188Z > > pwdChangedTime is an operational attribute and cannot be changed by > *any* user, it is the directory that has to change it. > Well then, how does one accomplish what I'm trying to do? If a user forgets his/her password, and an admin resets it, I want the user to be able to change it to something they're comfortable with (which adheres to the restrictions), but short of removing the pwdMinAge attribute from my password policy, I can't seem to figure out how that is possible. Thanks as always, Ryan