On 01/10/2011 09:33 AM, harry.devine at faa.gov wrote: > > Just did that, got the same error. What do I set passwordallowchange > time to? I set it to a time value that would've been an hour ago > since I got an error setting it to 0. That sounds like the right value. I'm not sure what's going on - could be a bug. > > Thanks, > Harry > > Harry Devine > Common ARTS Software Development > AJT-144 > (609)485-4218 > Harry.Devine at faa.gov > > > From: Rich Megginson <rmeggins at redhat.com> > To: "General discussion list for the 389 Directory server project." > <389-users at lists.fedoraproject.org> > Cc: Harry Devine/ACT/FAA at FAA, Rob Crittenden <rcritten at redhat.com>, > Ted Rush/ACT/FAA at FAA, 389-users-bounces at lists.fedoraproject.org > Date: 01/10/2011 11:19 AM > Subject: Re: Resetting user passwords > > > ------------------------------------------------------------------------ > > > > On 01/10/2011 08:21 AM, _harry.devine at faa.gov_ > <mailto:harry.devine at faa.gov>wrote: > > I had it set to 2 days (the "allow changes in X days" setting). I set > it to 0, logged in as that user, and got the exact same error. > Did you set the global password policy setting or the per-subtree > password policy setting? > You may have to also reset the passwordallowchangetime attribute in > the user's entry - if you change the minage password policy setting, > it doesn't change the passwordallowchangetime in each user's entry > since has already been calculated previously. > > Thanks, > Harry > > Harry Devine > Common ARTS Software Development > AJT-144 > (609)485-4218_ > __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov> > > From: Rob Crittenden _<rcritten at redhat.com>_ <mailto:rcritten at redhat.com> > To: "General discussion list for the 389 Directory server project." > _<389-users at lists.fedoraproject.org>_ > <mailto:389-users at lists.fedoraproject.org> > Cc: Harry Devine/ACT/FAA at FAA, Ted Rush/ACT/FAA at FAA, > _389-users-bounces at lists.fedoraproject.org_ > <mailto:389-users-bounces at lists.fedoraproject.org> > Date: 01/10/2011 10:18 AM > Subject: Re: Resetting user passwords > > > > ------------------------------------------------------------------------ > > > _ > __harry.devine at faa.gov_ <mailto:harry.devine at faa.gov>wrote: > > > > I tried that (using a date/time string similar to > > passwordallowchangetime), and I was able to get the "your password will > > expire in 10 days" message when I log in. I guess I thought that there > > would have existed either a checkbox or a button similar to Active > > Directory where it says "Reset user password" or something similar. > > > > Now, whenever I try to change the password using the passwd command, I > > get the following error: > > > > LDAP password information update failed: Constraint violation > > within password minimum age > > passwd: Permission denied. > > > > Any ideas on that? > > See if you have passwordMinAge set. This defines the minimum amount of > time that must pass before a password can be changed. This is generally > used in conjunction with password history (so a user doesn't repeatedly > change their password so they can re-use one once it gets pushed out of > history). > > rob > > > Harry > > > > Harry Devine > > Common ARTS Software Development > > AJT-144 > > (609)485-4218 > > _Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov> > > > > > > From: Harry Devine/ACT/FAA at FAA > > To: Rich Megginson _<rmeggins at redhat.com>_ > <mailto:rmeggins at redhat.com> > > Cc: Ted Rush/ACT/FAA at FAA, "General discussion list > for the 389 > > Directory server project." _<389-users at lists.fedoraproject.org>_ > <mailto:389-users at lists.fedoraproject.org> > > Date: 01/07/2011 11:10 PM > > Subject: Re: Resetting user passwords > > Sent by: _389-users-bounces at lists.fedoraproject.org_ > <mailto:389-users-bounces at lists.fedoraproject.org> > > > > > > ------------------------------------------------------------------------ > > > > > > > > I'll try that on Monday when I'm back at work. Is there any specific > > time formatted string I should use? I saw some of the other attributes > > referring to time appear to have a value that looks like it starts with > > the year and ends with Z. > > > > Thanks! > > Harry > > > > Harry Devine > > Common ARTS Software Development > > AJT-144 > > (609)485-4218_ > > __Harry.Devine at faa.gov_ <_mailto:Harry.Devine at faa.gov_> > > > > -----Rich Megginson _<rmeggins at redhat.com>_ > <mailto:rmeggins at redhat.com>wrote: ----- > > > > To: Harry Devine/ACT/FAA at FAA > > From: Rich Megginson _<rmeggins at redhat.com>_ > <mailto:rmeggins at redhat.com> > > Date: 01/07/2011 08:25PM > > cc: "General discussion list for the 389 Directory server project." > > _<389-users at lists.fedoraproject.org>_ > <mailto:389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA > > Subject: Re: Resetting user passwords > > > > On 01/07/2011 06:06 PM, _harry.devine at faa.gov_ > > <_mailto:harry.devine at faa.gov_> wrote: > > 0 > > Looks like a bug. Because we now use strict GeneralizedTime syntax with > > checking, you cannot input that value any more. I suppose you could set > > it to the current time instead. > > > > Harry > > > > Harry Devine > > Common ARTS Software Development > > AJT-144 > > (609)485-4218_ > > __Harry.Devine at faa.gov_ <_mailto:Harry.Devine at faa.gov_> > > > > -----Rich Megginson __<rmeggins at redhat.com>_ > <mailto:rmeggins at redhat.com>_ <_mailto:rmeggins at redhat.com_> > > wrote: ----- > > > > To: Harry Devine/ACT/FAA at FAA > > From: Rich Megginson __<rmeggins at redhat.com>_ > <mailto:rmeggins at redhat.com>_ <_mailto:rmeggins at redhat.com_> > > Date: 01/07/2011 04:31PM > > cc: "General discussion list for the 389 Directory server project." > > __<389-users at lists.fedoraproject.org>_ > <mailto:389-users at lists.fedoraproject.org>_ > > <_mailto:389-users at lists.fedoraproject.org_>, Ted Rush/ACT/FAA at FAA > > Subject: Re: Resetting user passwords > > > > On 01/07/2011 02:22 PM, _harry.devine at faa.gov_ > > <_mailto:harry.devine at faa.gov_> wrote: > > > > Won't let me do it. I get the following error: > > > > Cannot save to directory server: > > netscape.ldap.LDAPException: error result(21); passwordExpirationTime: > > value #0 invalid per syntax; Invalid Syntax. > > What value did you use? > > > > Thanks, > > Harry > > > > Harry Devine > > Common ARTS Software Development > > AJT-144 > > (609)485-4218_ > > __Harry.Devine at faa.gov_ <_mailto:Harry.Devine at faa.gov_> > > > > From: Rich Megginson __<rmeggins at redhat.com>_ > <mailto:rmeggins at redhat.com>_ <_mailto:rmeggins at redhat.com_> > > To: Harry Devine/ACT/FAA at FAA > > Cc: "General discussion list for the 389 Directory > server project." > > __<389-users at lists.fedoraproject.org>_ > <mailto:389-users at lists.fedoraproject.org>_ > > <_mailto:389-users at lists.fedoraproject.org_>, Ted Rush/ACT/FAA at FAA > > Date: 01/07/2011 04:10 PM > > Subject: Re: Resetting user passwords > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > On 01/07/2011 01:51 PM, _harry.devine at faa.gov_ > > <_mailto:harry.devine at faa.gov_> wrote: > > > > In the Directory Server GUI, under the Configuration tab, I have: > > > > Passwords: > > Enable fine-grained password policy (checked) > > User Password Change: > > User must change password after reset (checked) > > User may change password (checked) > > Allow changes in 2 days > > Keep password history: Remember 5 passwords > > Password expiration: > > Password expires after 90 days > > Send warning 10 days before password expires > > Allow up to 1 login attempt(s) after password expires > > Password syntax: > > Check password syntax (unchecked) > > Password Encryption: SSHA > > Account Lockout: > > Accounts may be locked out (checked) > > Password lockout > > Lockout account after 3 login failures > > Reset failure count after 10 minutes > > Lockout duration 30 minutes > > > > In the Directory tab, I right-click on People, then select "Manage > > Password Policy" -> For subtree: > > > > Passwords: > > Fine-grained subtree policy enabled (checked) > > User Password Change: > > User must change password after reset (checked) > > User may change password (checked) > > Allow changes in 2 days > > Keep password history: Remember 5 passwords > > Password expiration: > > Password expires after 90 days > > Send warning 10 days before password expires > > Allow up to 1 login attempt(s) after password expires > > Password syntax: > > Check password syntax (unchecked) > > Password Encryption: SSHA > > Account Lockout: > > Accounts may be locked out (checked) > > Password lockout > > Lockout account after 3 login failures > > Reset failure count after 10 minutes > > Lockout duration 30 minutes > > > > I don't have any specific user password policy at this time. When I > > modify a user's password, I can log in from another PC via SSH as that > > user using the changed password, but I'm never told it has to be > changed. > > In the user's entry, when changing the password, also change the > > attribute passwordExpirationTime to 0. This should trigger the reset > > password code. Note that the attribute passwordExpirationTime is an > > operational attribute. > > > > Thanks, > > Harry > > > > Harry Devine > > Common ARTS Software Development > > AJT-144 > > (609)485-4218_ > > __Harry.Devine at faa.gov_ <_mailto:Harry.Devine at faa.gov_> > > From: Rich Megginson __<rmeggins at redhat.com>_ > <mailto:rmeggins at redhat.com>_ <_mailto:rmeggins at redhat.com_> > > To: Harry Devine/ACT/FAA at FAA > > Cc: "General discussion list for the 389 Directory > server project." > > __<389-users at lists.fedoraproject.org>_ > <mailto:389-users at lists.fedoraproject.org>_ > > <_mailto:389-users at lists.fedoraproject.org_>, Ted Rush/ACT/FAA at FAA > > Date: 01/07/2011 03:37 PM > > Subject: Re: Resetting user passwords > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > On 01/07/2011 01:23 PM, _harry.devine at faa.gov_ > > <_mailto:harry.devine at faa.gov_> wrote: > > > > Nope. Didn't work. I edited the entry, put in another password, then > > login using the new password and never get prompted to change it. I saw > > something online here: > > > __http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords__. > > Section 13.1.1.5 says something about a bug in Directory Server. > > Are you using per-user/per-subtree (i.e. Fine-Grained) password policy? > > If not, then that section does not apply. > > > > Can you post all of your password policy configuration? > > Is that something that I should follow or is that doc outdated? > > > > Thanks, > > Harry > > > > Harry Devine > > Common ARTS Software Development > > AJT-144 > > (609)485-4218_ > > __Harry.Devine at faa.gov_ <_mailto:Harry.Devine at faa.gov_> > > From: Rich Megginson __<rmeggins at redhat.com>_ > <mailto:rmeggins at redhat.com>_ <_mailto:rmeggins at redhat.com_> > > To: "General discussion list for the 389 Directory > server project." > > __<389-users at lists.fedoraproject.org>_ > <mailto:389-users at lists.fedoraproject.org>_ > > <_mailto:389-users at lists.fedoraproject.org_> > > Cc: Harry Devine/ACT/FAA at FAA, Ted Rush/ACT/FAA at FAA > > Date: 01/07/2011 03:12 PM > > Subject: Re: Resetting user passwords > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > On 01/07/2011 01:02 PM, _harry.devine at faa.gov_ > > <_mailto:harry.devine at faa.gov_> wrote: > > > > In my 389-ds setup, I have a password policy in place where the user > > must change their password after a reset, they are allowed to change > > their password, and it expires after 90 days. However, I cannot find > > where the Directory Manager can actually RESET a user's password. The > > docs are very vague in this area IMO, so I'm sure I overlooked it. > > > > Not sure, but you may be able to login as directory manager, edit the > > user's entry, and change the password to some bogus value. > > > > Where do I go in the console to reset a particular user's password so > > they will be prompted to change it when they log in again? > > > > Thanks, > > Harry > > > > Harry Devine > > Common ARTS Software Development > > AJT-144 > > (609)485-4218_ > > __Harry.Devine at faa.gov_ <_mailto:Harry.Devine at faa.gov_> > > > > > > -- > > 389 users mailing list_ > > __389-users at lists.fedoraproject.org_ > > <_mailto:389-users at lists.fedoraproject.org_>_ > > ___https://admin.fedoraproject.org/mailman/listinfo/389-users__ > > > > > > > > > > > > > > > > > > > > -- > > 389 users mailing list > > _389-users at lists.fedoraproject.org_ > <mailto:389-users at lists.fedoraproject.org> > > _https://admin.fedoraproject.org/mailman/listinfo/389-users_ > > > > > > > > -- > > 389 users mailing list > > _389-users at lists.fedoraproject.org_ > <mailto:389-users at lists.fedoraproject.org> > > _https://admin.fedoraproject.org/mailman/listinfo/389-users_ > > > > > > -- > 389 users mailing list > _389-users at lists.fedoraproject.org_ > <mailto:389-users at lists.fedoraproject.org> > _https://admin.fedoraproject.org/mailman/listinfo/389-users_ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20110110/649518da/attachment-0001.html
