There was already a JIRA issue for this issue, I just added a comment to the existing issue.
https://issues.apache.org/jira/browse/DIRSERVER-2067 On Sat, May 7, 2016 at 1:31 PM, Kiran Ayyagari <[email protected]> wrote: > Hal, > > This is a known issue and I initially thought was fixed in trunk but > looks like it wasn't. > > Please follow the steps mentioned in this message > http://markmail.org/message/rohhcxnar4ysfzlq > This will let you reset the password for now. > > On Sat, May 7, 2016 at 5:30 AM, Hal Deadman <[email protected]> wrote: > > > I was able to recreate the issue with a test instance. > > > > I created a fresh instance of M21 directory using M10 studio. I set > > password expiration on password policy to some number, turned off grace > > logins, and changed the password of the admin user. I reconnected with > the > > new password, and set the pwdChangedTime of admin user to a date in in > the > > past (far enough to cause expiration) and then tried to reconnect, got > > "Bind failed: password expired". > > > > On Thu, May 5, 2016 at 12:44 PM, Hal Deadman <[email protected]> > > wrote: > > > > > Although my server is running M21, the config might have come from a > > > slightly older release so if the changes to make the policy not apply > to > > > admin require some additional configuration item then maybe I am > missing > > > that. > > > > > > I suppose creating a fresh instance on M21 and then back-dating the > > > pwdChangedTime of the admin user and applying a policy with expiration > > > would confirm whether this is an issue or not. I will let you know > when I > > > test it. > > > > > > On Tue, May 3, 2016 at 7:00 PM, Hal Deadman <[email protected]> > > wrote: > > > > > >> I am using M21 and it doesn't appear to be bypassing the policy, at > > least > > >> when it comes to password expiration. > > >> > > >> The admin password had expired on both servers but I was able to login > > to > > >> the backup server b/c grace logins were allowed. It did record a grace > > >> login on the admin user when I logged in. I reset the password to the > > same > > >> value it was before and it didn't enforce history. > > >> > > >> I can't confirm b/c I can't login but I think the policy on the server > > >> where I can't login is as follows: > > >> > > >> dn: > > >> > > > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc > > >> eptor,ou=interceptors,ads-directoryServiceId=default,ou=config > > >> entryCSN: 20160325163415.003000Z#000000#000#000000 > > >> ads-pwdLockoutDuration: 2592000 > > >> ads-pwdAttribute: userPassword > > >> ads-pwdId: default > > >> ads-pwdLockout: TRUE > > >> ads-pwdFailureCountInterval: 86400 > > >> ads-pwdMaxAge: 3888000 > > >> ads-pwdMaxFailure: 3 > > >> ads-pwdCheckQuality: 1 > > >> ads-enabled: TRUE > > >> entryUUID: 5f79a974-e791-4beb-803f-42e169b5dfb7 > > >> ads-pwdInHistory: 24 > > >> ads-pwdValidator: > > >> org.apache.directory.server.core.api.authn.ppolicy.DefaultPass > > >> wordValidator > > >> ads-pwdMinLength: 5 > > >> ads-pwdGraceAuthNLimit: 5 > > >> objectClass: ads-passwordPolicy > > >> objectClass: top > > >> objectClass: ads-base > > >> entryParentId: a4bb3a90-be7a-45ce-acb8-43ce7571df75 > > >> > > >> The error when I attempt to login as uid=admin,ou=system is as > follows: > > >> > > >> Error while opening connection > > >> - [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: password > > >> expired and max grace logins were used] > > >> java.lang.Exception: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind > > >> failed: password expired and max grace logins were used] > > >> > > >> Thanks. > > >> > > >> On Tue, May 3, 2016 at 3:15 PM, Emmanuel Lécharny < > [email protected]> > > >> wrote: > > >> > > >>> Le 03/05/16 18:50, Hal Deadman a écrit : > > >>> > I have a replicated directory in my dev lab where the admin user > has > > >>> an > > >>> > expired password on one of the two servers. Since I can't login as > > >>> admin, > > >>> > how might I go about resetting the password on that user short of > > >>> > re-creating the instance? > > >>> > > >>> the uid=admin,ou=system user bypasses the passwordPolicy (at least in > > >>> the latest version). That shpuld allow you to change the password. > > >>> > > >>> What version are you using ? > > >>> > > >>> > > >> > > > > > > Kiran Ayyagari > http://keydap.com >
