I am in a curious situation (and by curious I mean frustratingly
annoying). I have enabled strong password policies, including
expirations, across my tree (policy of the site). This has since
effected my 'admin' account in
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot. I
discovered this was happening when I was no longer to login to the
IDM/admin console.
Unfortunately, the IDM gave a very obtuse error about not being able to
find an object. I discovered the real problem when I tried an
ldapsearch with the admin uid, and it then returned password expired.
This is a side issue, not part of the core problem.
I used ldapmodify with "cn=directory manager" and changed the password
hash. I can then login with IDM again. I then go (in IDM) to the admin
account and I change passwordexpirationtime to be 2040........Z (i.e.
some time in the distant future). I save this change; restart the
directory server and the account is expired again. If I go through the
same reset process and pull up the value, it has not committed the
passwordexpirationtime attribute, it is back to the original
setting(!?) To be even more confusing, if I do an ldapsearch on the
uid=admin account, it doesn't even show the passwordexpirationtime
attribute (and thus cannot be updated). I can only see/change this via IDM.
Can anybody explain this behavior? Is there a better way to exclude the
admin account from the password policies of the server? Can somebody
explain why I can see some attributes on uid=admin that cannot be seen
with ldapsearch?
Versions:
389-ds-console-1.2.0-5
389-admin-1.1.9-1
389-admin-console-1.1.4-2
389-console-1.1.3-5
389-ds-base-1.2.3-1
389-admin-console-doc-1.1.4-2
389-adminutil-1.1.8-4
389-ds-console-doc-1.2.0-5
389-dsgw-1.1.4-1
389-ds-1.1.3-5
RHEL 5.5
Any help/insight into this matter would be greatly appreciated.
-B.G.