We're running dsee7 188.8.131.52.1 64bit on Linux. I've been asked to implement password expiry in the ldap server and have a couple of questions.
We'll be applying this expiry to a subset of users initially, so I've created a custom policy in our test ldap and applied it to a user by setting the pwdPolicySubentry attribute. I noted that after changing the password on this user I now see the pwdChangedTime and passwordExpirationTime attributes.
1. I notice that if I change the settings in the custom policy it seems that they don't take effect unless I remove and re-add the pwdPolicySubentry attribute to the users. Is this how it's meant to work?
2. I've been trying to get expiration warnings working. I've done some research and it appears that they rely on control 2.16.840.1.1137184.108.40.206 . I don't know how widely this is supported, and I've been unable to get it to return anything using openldap's ldapsearch -e syntax for requesting extensions. Any idea what I'm missing?