I tried that (using a date/time string similar to
passwordallowchangetime), and I was able to get the "your password will
expire in 10 days" message when I log in. I guess I thought that there
would have existed either a checkbox or a button similar to Active
Directory where it says "Reset user password" or something similar.
Now, whenever I try to change the password using the passwd command, I get
the following error:
LDAP password information update failed: Constraint violation
within password minimum age
passwd: Permission denied.
Any ideas on that?
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine at faa.gov
From:
Harry Devine/ACT/FAA at FAA
To:
Rich Megginson <rmeggins at redhat.com>
Cc:
Ted Rush/ACT/FAA at FAA, "General discussion list for the 389 Directory
server project." <389-users at lists.fedoraproject.org>
Date:
01/07/2011 11:10 PM
Subject:
Re: Resetting user passwords
Sent by:
389-users-bounces at lists.fedoraproject.org
I'll try that on Monday when I'm back at work. Is there any specific time
formatted string I should use? I saw some of the other attributes
referring to time appear to have a value that looks like it starts with
the year and ends with Z.
Thanks!
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine at faa.gov
-----Rich Megginson <rmeggins at redhat.com> wrote: -----
To: Harry Devine/ACT/FAA at FAA
From: Rich Megginson <rmeggins at redhat.com>
Date: 01/07/2011 08:25PM
cc: "General discussion list for the 389 Directory server project."
<389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
Subject: Re: Resetting user passwords
On 01/07/2011 06:06 PM, harry.devine at faa.gov wrote:
0
Looks like a bug. Because we now use strict GeneralizedTime syntax with
checking, you cannot input that value any more. I suppose you could set
it to the current time instead.
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine at faa.gov
-----Rich Megginson <rmeggins at redhat.com> wrote: -----
To: Harry Devine/ACT/FAA at FAA
From: Rich Megginson <rmeggins at redhat.com>
Date: 01/07/2011 04:31PM
cc: "General discussion list for the 389 Directory server project."
<389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
Subject: Re: Resetting user passwords
On 01/07/2011 02:22 PM, harry.devine at faa.gov wrote:
Won't let me do it. I get the following error:
Cannot save to directory server:
netscape.ldap.LDAPException: error result(21); passwordExpirationTime:
value #0 invalid per syntax; Invalid Syntax.
What value did you use?
Thanks,
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine at faa.gov
From:
Rich Megginson <rmeggins at redhat.com>
To:
Harry Devine/ACT/FAA at FAA
Cc:
"General discussion list for the 389 Directory server project."
<389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
Date:
01/07/2011 04:10 PM
Subject:
Re: Resetting user passwords
On 01/07/2011 01:51 PM, harry.devine at faa.gov wrote:
In the Directory Server GUI, under the Configuration tab, I have:
Passwords:
Enable fine-grained password policy (checked)
User Password Change:
User must change password after reset (checked)
User may change password (checked)
Allow changes in 2 days
Keep password history: Remember 5 passwords
Password expiration:
Password expires after 90 days
Send warning 10 days before password expires
Allow up to 1 login attempt(s) after password expires
Password syntax:
Check password syntax (unchecked)
Password Encryption: SSHA
Account Lockout:
Accounts may be locked out (checked)
Password lockout
Lockout account after 3 login failures
Reset failure count after 10 minutes
Lockout duration 30 minutes
In the Directory tab, I right-click on People, then select "Manage
Password Policy" -> For subtree:
Passwords:
Fine-grained subtree policy enabled (checked)
User Password Change:
User must change password after reset (checked)
User may change password (checked)
Allow changes in 2 days
Keep password history: Remember 5 passwords
Password expiration:
Password expires after 90 days
Send warning 10 days before password expires
Allow up to 1 login attempt(s) after password expires
Password syntax:
Check password syntax (unchecked)
Password Encryption: SSHA
Account Lockout:
Accounts may be locked out (checked)
Password lockout
Lockout account after 3 login failures
Reset failure count after 10 minutes
Lockout duration 30 minutes
I don't have any specific user password policy at this time. When I
modify a user's password, I can log in from another PC via SSH as that
user using the changed password, but I'm never told it has to be changed.
In the user's entry, when changing the password, also change the attribute
passwordExpirationTime to 0. This should trigger the reset password code.
Note that the attribute passwordExpirationTime is an operational
attribute.
Thanks,
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine at faa.gov
From:
Rich Megginson <rmeggins at redhat.com>
To:
Harry Devine/ACT/FAA at FAA
Cc:
"General discussion list for the 389 Directory server project."
<389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
Date:
01/07/2011 03:37 PM
Subject:
Re: Resetting user passwords
On 01/07/2011 01:23 PM, harry.devine at faa.gov wrote:
Nope. Didn't work. I edited the entry, put in another password, then
login using the new password and never get prompted to change it. I saw
something online here:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords
. Section 13.1.1.5 says something about a bug in Directory Server.
Are you using per-user/per-subtree (i.e. Fine-Grained) password policy? If
not, then that section does not apply.
Can you post all of your password policy configuration?
Is that something that I should follow or is that doc outdated?
Thanks,
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine at faa.gov
From:
Rich Megginson <rmeggins at redhat.com>
To:
"General discussion list for the 389 Directory server project."
<389-users at lists.fedoraproject.org>
Cc:
Harry Devine/ACT/FAA at FAA, Ted Rush/ACT/FAA at FAA
Date:
01/07/2011 03:12 PM
Subject:
Re: Resetting user passwords
On 01/07/2011 01:02 PM, harry.devine at faa.gov wrote:
In my 389-ds setup, I have a password policy in place where the user must
change their password after a reset, they are allowed to change their
password, and it expires after 90 days. However, I cannot find where the
Directory Manager can actually RESET a user's password. The docs are very
vague in this area IMO, so I'm sure I overlooked it.
Not sure, but you may be able to login as directory manager, edit the
user's entry, and change the password to some bogus value.
Where do I go in the console to reset a particular user's password so they
will be prompted to change it when they log in again?
Thanks,
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine at faa.gov
--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20110110/930d554f/attachment-0001.html
