Password Problem
I am configuring a 2nd mta for our mail system. There is a problem with the ldap authentication when the messaging user attempts an ldap lookup for incoming emails. There is a lookup failure. This is the msg-admin- user. Our other mta has the exact same set up (with its own msg-admin- user ) and works without a problem. Has anyone seen this error before?
Entry from directory access log
[05/Jan/2007:10:49:50 -0700] conn=89089 op=4 msgId=5 - need new password
[05/Jan/2007:10:49:50 -0700] conn=89089 op=4 msgId=5 - RESULT err=53 tag=101 nentries=0 etime=0
Any advice would be great. Thanks
Darren
[635 byte] By [
DarrenLCCa] at [2007-11-26 14:15:05]
# 1
See this thread:
http://forum.java.sun.com/thread.jspa?threadID=5096504&messageID=9331242
This usually happens when the Directory Manager resets an account's password, and the password policy has "passwordMustChange: on". The user is required to reset their password the first time they log in after the administrative reset.
As to why it's happening on one server and not the other, I'm not sure. Maybe an artifact of local password management that doesn't get replicated?
# 2
I just did some test in the latest version of 5.2 p4. The global password policy does NOT get replicated, not only the lock count, but also the history, reset and the others. This can explain why the password reset is not functioning well in one while does function in the other. In order to rechieve that, we have to configure it in all replicas.
However, as I recalled, it once worked in the older version. Maybe my recall is not right. Anybody can confirm that?
I just read the Admin guide, it does state that "Both individual and the global password policies are replicated. As a result, you may define them on a master and allow replication to progate the policy to replicated servers". Very confused.
I will do further test on this.
# 3
Could you please point out exactly on which page of the Administration Guide you've read this sentence ?
I'm going to avoid the world global to remove confusion.
The configuration of the password policy in effect by default for the whole server (stored under cn=config) does not get replicated. And therefore must be configured the same on all servers to achieve a consistent behavior.
Any individual password policy configuration stored with the user data is replicated like other entries.
Now, the password policy feature does store meta-data in the users' entries for things like when is the password due to expire, password history...
All of the meta-data that is related to Password modification (expiration time, history, reset...) does get replicated to all servers along with the password modification.
The remaining of the meta-data such as Password warning sent, lockout does not get replicated.
Ludovic.
# 4
The quotation appears in Pg. 251 Chapter 7(User Account Management) of Admininistration Guide: Sun ONE Directory Server version 5.2
The book serial number is 816-6698-10 June 2003
Here is the link:
http://docs.sun.com/source/816-6698-10/useracct.html
Thanks!
