On 01/07/2011 02:22 PM, harry.devine at faa.gov wrote: > > Won't let me do it. I get the following error: > > Cannot save to directory server: > netscape.ldap.LDAPException: error result(21); passwordExpirationTime: > value #0 invalid per syntax; Invalid Syntax. What value did you use? > > Thanks, > Harry > > Harry Devine > Common ARTS Software Development > AJT-144 > (609)485-4218 > Harry.Devine at faa.gov > > > From: Rich Megginson <rmeggins at redhat.com> > To: Harry Devine/ACT/FAA at FAA > Cc: "General discussion list for the 389 Directory server project." > <389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA > Date: 01/07/2011 04:10 PM > Subject: Re: Resetting user passwords > > > ------------------------------------------------------------------------ > > > > On 01/07/2011 01:51 PM, _harry.devine at faa.gov_ > <mailto:harry.devine at faa.gov>wrote: > > In the Directory Server GUI, under the Configuration tab, I have: > > Passwords: > Enable fine-grained password policy (checked) > User Password Change: > User must change password after reset (checked) > User may change password (checked) > Allow changes in 2 days > Keep password history: Remember 5 passwords > Password expiration: > Password expires after 90 days > Send warning 10 days before password expires > Allow up to 1 login attempt(s) after password expires > Password syntax: > Check password syntax (unchecked) > Password Encryption: SSHA > Account Lockout: > Accounts may be locked out (checked) > Password lockout > Lockout account after 3 login failures > Reset failure count after 10 minutes > Lockout duration 30 minutes > > In the Directory tab, I right-click on People, then select "Manage > Password Policy" -> For subtree: > > Passwords: > Fine-grained subtree policy enabled (checked) > User Password Change: > User must change password after reset (checked) > User may change password (checked) > Allow changes in 2 days > Keep password history: Remember 5 passwords > Password expiration: > Password expires after 90 days > Send warning 10 days before password expires > Allow up to 1 login attempt(s) after password expires > Password syntax: > Check password syntax (unchecked) > Password Encryption: SSHA > Account Lockout: > Accounts may be locked out (checked) > Password lockout > Lockout account after 3 login failures > Reset failure count after 10 minutes > Lockout duration 30 minutes > > I don't have any specific user password policy at this time. When I > modify a user's password, I can log in from another PC via SSH as that > user using the changed password, but I'm never told it has to be changed. > In the user's entry, when changing the password, also change the > attribute passwordExpirationTime to 0. This should trigger the reset > password code. Note that the attribute passwordExpirationTime is an > operational attribute. > > Thanks, > Harry > > Harry Devine > Common ARTS Software Development > AJT-144 > (609)485-4218_ > __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov> > > From: Rich Megginson _<rmeggins at redhat.com>_ <mailto:rmeggins at redhat.com> > To: Harry Devine/ACT/FAA at FAA > Cc: "General discussion list for the 389 Directory server project." > _<389-users at lists.fedoraproject.org>_ > <mailto:389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA > Date: 01/07/2011 03:37 PM > Subject: Re: Resetting user passwords > > > > ------------------------------------------------------------------------ > > > > On 01/07/2011 01:23 PM, _harry.devine at faa.gov_ > <mailto:harry.devine at faa.gov>wrote: > > Nope. Didn't work. I edited the entry, put in another password, then > login using the new password and never get prompted to change it. I > saw something online here: > _http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords_. > Section 13.1.1.5 says something about a bug in Directory Server. > Are you using per-user/per-subtree (i.e. Fine-Grained) password > policy? If not, then that section does not apply. > > Can you post all of your password policy configuration? > Is that something that I should follow or is that doc outdated? > > Thanks, > Harry > > Harry Devine > Common ARTS Software Development > AJT-144 > (609)485-4218_ > __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov> > From: Rich Megginson _<rmeggins at redhat.com>_ <mailto:rmeggins at redhat.com> > To: "General discussion list for the 389 Directory server project." > _<389-users at lists.fedoraproject.org>_ > <mailto:389-users at lists.fedoraproject.org> > Cc: Harry Devine/ACT/FAA at FAA, Ted Rush/ACT/FAA at FAA > Date: 01/07/2011 03:12 PM > Subject: Re: Resetting user passwords > > > > > ------------------------------------------------------------------------ > > > > On 01/07/2011 01:02 PM, _harry.devine at faa.gov_ > <mailto:harry.devine at faa.gov>wrote: > > In my 389-ds setup, I have a password policy in place where the user > must change their password after a reset, they are allowed to change > their password, and it expires after 90 days. However, I cannot find > where the Directory Manager can actually RESET a user's password. The > docs are very vague in this area IMO, so I'm sure I overlooked it. > > Not sure, but you may be able to login as directory manager, edit the > user's entry, and change the password to some bogus value. > > Where do I go in the console to reset a particular user's password so > they will be prompted to change it when they log in again? > > Thanks, > Harry > > Harry Devine > Common ARTS Software Development > AJT-144 > (609)485-4218_ > __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov> > > > -- > 389 users mailing list_ > __389-users at lists.fedoraproject.org_ > <mailto:389-users at lists.fedoraproject.org>_ > __https://admin.fedoraproject.org/mailman/listinfo/389-users_ > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20110107/eb83356b/attachment-0001.html
