Hal, This is a known issue and I initially thought was fixed in trunk but looks like it wasn't.
Please follow the steps mentioned in this message http://markmail.org/message/rohhcxnar4ysfzlq This will let you reset the password for now. On Sat, May 7, 2016 at 5:30 AM, Hal Deadman <[email protected]> wrote: > I was able to recreate the issue with a test instance. > > I created a fresh instance of M21 directory using M10 studio. I set > password expiration on password policy to some number, turned off grace > logins, and changed the password of the admin user. I reconnected with the > new password, and set the pwdChangedTime of admin user to a date in in the > past (far enough to cause expiration) and then tried to reconnect, got > "Bind failed: password expired". > > On Thu, May 5, 2016 at 12:44 PM, Hal Deadman <[email protected]> > wrote: > > > Although my server is running M21, the config might have come from a > > slightly older release so if the changes to make the policy not apply to > > admin require some additional configuration item then maybe I am missing > > that. > > > > I suppose creating a fresh instance on M21 and then back-dating the > > pwdChangedTime of the admin user and applying a policy with expiration > > would confirm whether this is an issue or not. I will let you know when I > > test it. > > > > On Tue, May 3, 2016 at 7:00 PM, Hal Deadman <[email protected]> > wrote: > > > >> I am using M21 and it doesn't appear to be bypassing the policy, at > least > >> when it comes to password expiration. > >> > >> The admin password had expired on both servers but I was able to login > to > >> the backup server b/c grace logins were allowed. It did record a grace > >> login on the admin user when I logged in. I reset the password to the > same > >> value it was before and it didn't enforce history. > >> > >> I can't confirm b/c I can't login but I think the policy on the server > >> where I can't login is as follows: > >> > >> dn: > >> > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc > >> eptor,ou=interceptors,ads-directoryServiceId=default,ou=config > >> entryCSN: 20160325163415.003000Z#000000#000#000000 > >> ads-pwdLockoutDuration: 2592000 > >> ads-pwdAttribute: userPassword > >> ads-pwdId: default > >> ads-pwdLockout: TRUE > >> ads-pwdFailureCountInterval: 86400 > >> ads-pwdMaxAge: 3888000 > >> ads-pwdMaxFailure: 3 > >> ads-pwdCheckQuality: 1 > >> ads-enabled: TRUE > >> entryUUID: 5f79a974-e791-4beb-803f-42e169b5dfb7 > >> ads-pwdInHistory: 24 > >> ads-pwdValidator: > >> org.apache.directory.server.core.api.authn.ppolicy.DefaultPass > >> wordValidator > >> ads-pwdMinLength: 5 > >> ads-pwdGraceAuthNLimit: 5 > >> objectClass: ads-passwordPolicy > >> objectClass: top > >> objectClass: ads-base > >> entryParentId: a4bb3a90-be7a-45ce-acb8-43ce7571df75 > >> > >> The error when I attempt to login as uid=admin,ou=system is as follows: > >> > >> Error while opening connection > >> - [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: password > >> expired and max grace logins were used] > >> java.lang.Exception: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind > >> failed: password expired and max grace logins were used] > >> > >> Thanks. > >> > >> On Tue, May 3, 2016 at 3:15 PM, Emmanuel Lécharny <[email protected]> > >> wrote: > >> > >>> Le 03/05/16 18:50, Hal Deadman a écrit : > >>> > I have a replicated directory in my dev lab where the admin user has > >>> an > >>> > expired password on one of the two servers. Since I can't login as > >>> admin, > >>> > how might I go about resetting the password on that user short of > >>> > re-creating the instance? > >>> > >>> the uid=admin,ou=system user bypasses the passwordPolicy (at least in > >>> the latest version). That shpuld allow you to change the password. > >>> > >>> What version are you using ? > >>> > >>> > >> > > > Kiran Ayyagari http://keydap.com
