FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 08-09-2010, 05:30 PM
Brandon G
 
Default admin account expires, expire time refuses to update

I am in a curious situation (and by curious I mean frustratingly
annoying). I have enabled strong password policies, including
expirations, across my tree (policy of the site). This has since
effected my 'admin' account in
uid=admin,ou=Administrators,ou=TopologyManagement, o=NetscapeRoot. I
discovered this was happening when I was no longer to login to the
IDM/admin console.

Unfortunately, the IDM gave a very obtuse error about not being able to
find an object. I discovered the real problem when I tried an
ldapsearch with the admin uid, and it then returned password expired.
This is a side issue, not part of the core problem.

I used ldapmodify with "cn=directory manager" and changed the password
hash. I can then login with IDM again. I then go (in IDM) to the admin
account and I change passwordexpirationtime to be 2040........Z (i.e.
some time in the distant future). I save this change; restart the
directory server and the account is expired again. If I go through the
same reset process and pull up the value, it has not committed the
passwordexpirationtime attribute, it is back to the original
setting(!?) To be even more confusing, if I do an ldapsearch on the
uid=admin account, it doesn't even show the passwordexpirationtime
attribute (and thus cannot be updated). I can only see/change this via IDM.

Can anybody explain this behavior? Is there a better way to exclude the
admin account from the password policies of the server? Can somebody
explain why I can see some attributes on uid=admin that cannot be seen
with ldapsearch?

Versions:

389-ds-console-1.2.0-5
389-admin-1.1.9-1
389-admin-console-1.1.4-2
389-console-1.1.3-5
389-ds-base-1.2.3-1
389-admin-console-doc-1.1.4-2
389-adminutil-1.1.8-4
389-ds-console-doc-1.2.0-5
389-dsgw-1.1.4-1
389-ds-1.1.3-5
RHEL 5.5

Any help/insight into this matter would be greatly appreciated.

-B.G.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-10-2010, 08:45 AM
Gerrard Geldenhuis
 
Default admin account expires, expire time refuses to update

Hi Brandon,
It seems to me that the password policy is being applied to your Directory Manager user. I recall that you can disable password policy for cn=config users but can't find that in the documentation now. It is also worth while reading the second paragraph of 7.1.1.5 in the Admin guide which refers to a bug regarding password policy. That might not be true any more so read it with a pinch of salt.

Regards
________________________________________
From: 389-users-bounces@lists.fedoraproject.org [389-users-bounces@lists.fedoraproject.org] on behalf of Brandon G [bjg@solv.com]
Sent: 09 August 2010 18:30
To: 389-users@lists.fedoraproject.org
Subject: [389-users] admin account expires, expire time refuses to update

I am in a curious situation (and by curious I mean frustratingly
annoying). I have enabled strong password policies, including
expirations, across my tree (policy of the site). This has since
effected my 'admin' account in
uid=admin,ou=Administrators,ou=TopologyManagement, o=NetscapeRoot. I
discovered this was happening when I was no longer to login to the
IDM/admin console.

Unfortunately, the IDM gave a very obtuse error about not being able to
find an object. I discovered the real problem when I tried an
ldapsearch with the admin uid, and it then returned password expired.
This is a side issue, not part of the core problem.

I used ldapmodify with "cn=directory manager" and changed the password
hash. I can then login with IDM again. I then go (in IDM) to the admin
account and I change passwordexpirationtime to be 2040........Z (i.e.
some time in the distant future). I save this change; restart the
directory server and the account is expired again. If I go through the
same reset process and pull up the value, it has not committed the
passwordexpirationtime attribute, it is back to the original
setting(!?) To be even more confusing, if I do an ldapsearch on the
uid=admin account, it doesn't even show the passwordexpirationtime
attribute (and thus cannot be updated). I can only see/change this via IDM.

Can anybody explain this behavior? Is there a better way to exclude the
admin account from the password policies of the server? Can somebody
explain why I can see some attributes on uid=admin that cannot be seen
with ldapsearch?

Versions:

389-ds-console-1.2.0-5
389-admin-1.1.9-1
389-admin-console-1.1.4-2
389-console-1.1.3-5
389-ds-base-1.2.3-1
389-admin-console-doc-1.1.4-2
389-adminutil-1.1.8-4
389-ds-console-doc-1.2.0-5
389-dsgw-1.1.4-1
389-ds-1.1.3-5
RHEL 5.5

Any help/insight into this matter would be greatly appreciated.

-B.G.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 05:14 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org