We have the following scenario:
We use a "global" password policy at cn=config where a customer of ours
defines:
passwordexp: on
passwordmaxage: 7776000
passwordwarning: 7344000
We provide as default configuration "passwordMustChage: on" to force a new user
to chage the initial password. In this setup a user whose password expired, i.e. also
after this user is created and needs to change its initial password, cannot login to the
account, but he can change the password.
The customer now wants a setup which prevents a user whose password expired from changing
the password. A plugin "Account Policy Plugin" can therefore be activated by the
customer, which uses the following configuration:
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: config
alwaysrecordlogin: yes
stateAttrName: non_existent_attribute
altStateAttrName: passwordExpirationTime
specattrname: acctPolicySubentry
limitattrname: accountInactivityLimit
As a consequence, the initial password change does not work anymore, thus the customer
must change to "passwordMustChange: off". This would probably be acceptable.
A problem is, however, that a user account which has its own user password policy with
"passwordexp: off" and "passwordmustchange: off" is affected by the
plugin in such a way that the attribute passwordExpirationTime of the user itself is
evaluated and the attribute passwordexp of the user password policy is ignored. That
means, a user password policy for special user accounts without password expiration cannot
be used in combination with the Account Policy Plugin.
Can the plugin be configured to enable this possiblity or is there another way to achieve
the desired behaviour?
Show replies by date