Although my server is running M21, the config might have come from a slightly older release so if the changes to make the policy not apply to admin require some additional configuration item then maybe I am missing that.
I suppose creating a fresh instance on M21 and then back-dating the pwdChangedTime of the admin user and applying a policy with expiration would confirm whether this is an issue or not. I will let you know when I test it. On Tue, May 3, 2016 at 7:00 PM, Hal Deadman <[email protected]> wrote: > I am using M21 and it doesn't appear to be bypassing the policy, at least > when it comes to password expiration. > > The admin password had expired on both servers but I was able to login to > the backup server b/c grace logins were allowed. It did record a grace > login on the admin user when I logged in. I reset the password to the same > value it was before and it didn't enforce history. > > I can't confirm b/c I can't login but I think the policy on the server > where I can't login is as follows: > > dn: > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc > eptor,ou=interceptors,ads-directoryServiceId=default,ou=config > entryCSN: 20160325163415.003000Z#000000#000#000000 > ads-pwdLockoutDuration: 2592000 > ads-pwdAttribute: userPassword > ads-pwdId: default > ads-pwdLockout: TRUE > ads-pwdFailureCountInterval: 86400 > ads-pwdMaxAge: 3888000 > ads-pwdMaxFailure: 3 > ads-pwdCheckQuality: 1 > ads-enabled: TRUE > entryUUID: 5f79a974-e791-4beb-803f-42e169b5dfb7 > ads-pwdInHistory: 24 > ads-pwdValidator: > org.apache.directory.server.core.api.authn.ppolicy.DefaultPass > wordValidator > ads-pwdMinLength: 5 > ads-pwdGraceAuthNLimit: 5 > objectClass: ads-passwordPolicy > objectClass: top > objectClass: ads-base > entryParentId: a4bb3a90-be7a-45ce-acb8-43ce7571df75 > > The error when I attempt to login as uid=admin,ou=system is as follows: > > Error while opening connection > - [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: password > expired and max grace logins were used] > java.lang.Exception: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind > failed: password expired and max grace logins were used] > > Thanks. > > On Tue, May 3, 2016 at 3:15 PM, Emmanuel Lécharny <[email protected]> > wrote: > >> Le 03/05/16 18:50, Hal Deadman a écrit : >> > I have a replicated directory in my dev lab where the admin user has an >> > expired password on one of the two servers. Since I can't login as >> admin, >> > how might I go about resetting the password on that user short of >> > re-creating the instance? >> >> the uid=admin,ou=system user bypasses the passwordPolicy (at least in >> the latest version). That shpuld allow you to change the password. >> >> What version are you using ? >> >> >
