From an old post I found I could enable self-write access to the
shadowLastChange attribute by going into the directory, selecting root domain, select set
access permissions, select enable self write for common attributes, and edit
"self" manually. Add shadowLastChange and userPassword in the list and saved.
Worked great. This was a account imported from an older openldap server. Is this the
correct fix for this or have I misconfigured something and should fix it correctly.
[mailto:firstname.lastname@example.org] On Behalf Of David Hoskinson
Sent: Thursday, September 29, 2011 7:33 AM
To: General discussion list for the 389 Directory server project.
Subject: [389-users] Password expiration policy problem
I have configured our directory server to have a global password policy in the directory
server, under Data-> Passwords. The policy we have elected to use the password expires
in 45 days. For the last 15 days it has been warning me to change it. I have on several
occasions changed it by typing password in a terminal window and changing it. This has
been successful and new password is active. However the next time I login the count down
has not been reset. I was wondering what would happen when it got to 0 so I let that
happen today. As expected it prompted me to change my password and reset it. However
when I log back in I am still at 0 and hence cannot login to the machine. I looked at the
passwordexpirationtime on my account and it reads 20111113112125Z as I believe it should
since it was reset today. Still can't login, and account says I am at 0 days...
Thanks for any help...
David Hoskinson | DATATRAK International
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)