[Fedora-directory-users] Account Expiration Warning

[Jim Summers]

Hello List,

Having been troubled in the past with account expiration on an 
iplanet5.1 server with linux clients,  I wanted to get this working 
during my evaluation / testing of FDS.

I have enabled the password policy on the FDS and set the ldap.conf 
entries necessary to get this working.   Upon doing this and then 
logging in and out, new fields appear in the people container for that 
account.  Such as passwordexpirationtime, passwordretrycount, etc... All 
is working, such as, a passwd change will update the necessary fields 
for the correct length of time reset counts, etc...

When testing the password expiration warning I stumbled onto the issue, 
that I do not get an actual "Your password will expire in XX days" 
message.  I do see where the field, passwordexpwarned is set to "1", but 
I do not ever get an actual message.

The way I am testing is to set the policy to warn the user, 3 days in 
advance.  Then I set the passwordexpiratontime to a date less than three 
days away.  Then attempt to log in.  Login is ok, but no warning of the 
impending doom about to strike the account.

If I actually set the expirationtime to a time less than the current, 
then I can login until passwordusergracetime is GE the allowed number of 
logins after the password expiration.  At which time I get a message 
that the password expired and it must be changed immediately, at which 
time the connection immediately closes and the password cannot be changed!

No log entries in error, so I am not sure what I have overlooked?

Any advice or suggestions?

Also when doing an ldapsearch and binding as an admin user I can not see 
the entries for the passwordXXXXXXX fields.  Is there a certain 
ldapsearch switch to see those?  Possibly an ACI missing on my part?

TIA
-- 
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------