On 01/07/2011 06:06 PM, harry.devine@xxxxxxx wrote:
0
Looks like a bug. Because we now use strict GeneralizedTime syntax
with checking, you cannot input that value any more. I suppose you
could set it to the current time instead.
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine@xxxxxxx
-----Rich Megginson
<rmeggins@xxxxxxxxxx> wrote: -----
To: Harry Devine/ACT/FAA@FAA
From: Rich Megginson <rmeggins@xxxxxxxxxx>
Date: 01/07/2011 04:31PM
cc: "General discussion list for the 389 Directory server
project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>, Ted
Rush/ACT/FAA@FAA
Subject: Re: [389-users] Resetting user passwords
On 01/07/2011 02:22 PM, harry.devine@xxxxxxx
wrote:
Won't let me do it. I
get the following error:
Cannot save to directory
server:
netscape.ldap.LDAPException:
error result(21); passwordExpirationTime: value #0
invalid per syntax; Invalid Syntax.
What value did you use?
Thanks,
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine@xxxxxxx
On 01/07/2011 01:51 PM, harry.devine@xxxxxxx wrote:
In the Directory Server GUI, under the Configuration
tab, I have:
Passwords:
Enable fine-grained password policy (checked)
User Password Change:
User must change password after reset
(checked)
User may change password (checked)
Allow changes in 2 days
Keep password history: Remember 5
passwords
Password expiration:
Password expires after 90 days
Send warning 10 days before password
expires
Allow up to 1 login attempt(s) after
password expires
Password syntax:
Check password syntax (unchecked)
Password Encryption: SSHA
Account Lockout:
Accounts may be locked out (checked)
Password lockout
Lockout account after 3 login failures
Reset failure count after 10 minutes
Lockout duration 30 minutes
In the Directory tab, I right-click on People, then
select "Manage Password Policy" -> For subtree:
Passwords:
Fine-grained subtree policy enabled (checked)
User Password Change:
User must change password after reset
(checked)
User may change password (checked)
Allow changes in 2 days
Keep password history: Remember 5
passwords
Password expiration:
Password expires after 90 days
Send warning 10 days before password
expires
Allow up to 1 login attempt(s) after
password expires
Password syntax:
Check password syntax (unchecked)
Password Encryption: SSHA
Account Lockout:
Accounts may be locked out (checked)
Password lockout
Lockout account after 3 login failures
Reset failure count after 10 minutes
Lockout duration 30 minutes
I don't have any specific user password policy at this
time. When I modify a user's password, I can log in
from another PC via SSH as that user using the changed
password, but I'm never told it has to be changed.
In the user's entry, when changing the
password, also change the attribute
passwordExpirationTime to 0. This should trigger the
reset password code. Note that the attribute
passwordExpirationTime is an operational attribute.
Thanks,
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine@xxxxxxx
On 01/07/2011 01:23 PM, harry.devine@xxxxxxx wrote:
Nope. Didn't work. I edited the entry, put in another
password, then login using the new password and never
get prompted to change it. I saw something online here:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords. Section 13.1.1.5 says
something about a bug in Directory Server.
Are you using per-user/per-subtree (i.e. Fine-Grained)
password policy? If not, then that section does not
apply.
Can you post all of your password policy configuration?
Is that something that I should follow or is that doc
outdated?
Thanks,
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine@xxxxxxx
On 01/07/2011 01:02 PM, harry.devine@xxxxxxx wrote:
In my 389-ds setup, I have a password policy in place
where the user must change their password after a reset,
they are allowed to change their password, and it
expires after 90 days. However, I cannot find where the
Directory Manager can actually RESET a user's password.
The docs are very vague in this area IMO, so I'm sure I
overlooked it.
Not sure, but you may be able to login as directory
manager, edit the user's entry, and change the password
to some bogus value.
Where do I go in the console to reset a particular
user's password so they will be prompted to change it
when they log in again?
Thanks,
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine@xxxxxxx
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
|
