can somebody give an advice how to change the LDAP password already expired?
I have an LDAP user and the password for this user is expired:
# su user
You are required to change your password immediately (password aged)
su: Authentication token is no longer valid; new one required
(Ignored)
then I can change the password using 'passwd'. But if I try to login once again, the message still appears. If I try the ssh login, I also get the following message: "You are required to change your password immediately (password aged)"
Then I change the password. But if I try to login once again, the message remains...
Thank you in advance.
P.S. I have also tried:
user@server$ ldappasswd
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
You are missing a few attributes from your
ldappasswdThis is just an example
Probably you are using some policies (some of them can be kept in LDAP - for instance you got something like that in your LDAP server configruation)
Some of them can be kept locally (look for
moduleload ppolicy.lain LDAP server configuration).Probably you are also missing ability to allow users to change thier passwords without god's power. You can do it by resetting PAM or (easier way) to allow users to change thier userPassword attribute without authentication.
Whenever you need more precise please let me know :)
Are you using shadow* attributes on the server? If yes make sure shadowlastchange attribute is writable by the user(s), otherwise the userpassword attribute get updated and shadowLastchange remains un-changed, on next attempt, the client tools calculate password age using the old shadowLastChange value and think the password needs to be changed.