On Tue, 2017-07-11 at 15:53 -0700, Darren Struthers wrote:
I have inherited an instance of 389 Directory Server running version
1.2.10.2. I have observed some inconsistency in the server's behavior when
I apply a user-level password policy to an account which has not previously
had one (either directly via a user-level policy or indirectly via a
subtree-level policy). I have applied a basic policy with a 7-day password
expiration and 7-day warning period on several accounts. When I did this,
some accounts seemed to start the 7-day clock upon a subsequent login,
while others seemed to have no observable effect (i.e. the account state
warning for a near expiration is not returned after authentication).
Does anyone know what factors could result in this inconsistency in this
version? The behavior seems to diverge along account age lines, with older
accounts seeming to behave differently than the newer accounts, leading me
to wonder if someone previously applied and removed password policies at
either the user- or subtree-level in the past, and if so, whether that
could potentially lead to the inconsistency I'm observing.
How are they logging in? Via a unix machine? perhaps something that is
reading shadow instead?
A secondary question: does anyone know if it is possible to see the state
of the expiration timer for accounts in this version?
If I recall correctly, I think the timers are relative to fixed points
in time, so look at the admin guide here, it might help you?
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10...
Any information or advice anyone has is appreciated. I can provide more
information about the server in question if necessary.
Thanks,
Darren
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
--
Sincerely,
William Brown
Software Engineer
Red Hat, Australia/Brisbane