admin account expires, expire time refuses to update
It seems to me that the password policy is being applied to your Directory Manager user. I recall that you can disable password policy for cn=config users but can't find that in the documentation now. It is also worth while reading the second paragraph of 126.96.36.199 in the Admin guide which refers to a bug regarding password policy. That might not be true any more so read it with a pinch of salt.
From: email@example.com [firstname.lastname@example.org] on behalf of Brandon G [email@example.com]
Sent: 09 August 2010 18:30
Subject: [389-users] admin account expires, expire time refuses to update
I am in a curious situation (and by curious I mean frustratingly
annoying). I have enabled strong password policies, including
expirations, across my tree (policy of the site). This has since
effected my 'admin' account in
uid=admin,ou=Administrators,ou=TopologyManagement, o=NetscapeRoot. I
discovered this was happening when I was no longer to login to the
Unfortunately, the IDM gave a very obtuse error about not being able to
find an object. I discovered the real problem when I tried an
ldapsearch with the admin uid, and it then returned password expired.
This is a side issue, not part of the core problem.
I used ldapmodify with "cn=directory manager" and changed the password
hash. I can then login with IDM again. I then go (in IDM) to the admin
account and I change passwordexpirationtime to be 2040........Z (i.e.
some time in the distant future). I save this change; restart the
directory server and the account is expired again. If I go through the
same reset process and pull up the value, it has not committed the
passwordexpirationtime attribute, it is back to the original
setting(!?) To be even more confusing, if I do an ldapsearch on the
uid=admin account, it doesn't even show the passwordexpirationtime
attribute (and thus cannot be updated). I can only see/change this via IDM.
Can anybody explain this behavior? Is there a better way to exclude the
admin account from the password policies of the server? Can somebody
explain why I can see some attributes on uid=admin that cannot be seen
Any help/insight into this matter would be greatly appreciated.
389 users mailing list
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
389 users mailing list