Re: [389-users] Resetting user passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




I tried that (using a date/time string similar to passwordallowchangetime), and I was able to get the "your password will expire in 10 days" message when I log in.  I guess I thought that there would have existed either a checkbox or a button similar to Active Directory where it says "Reset user password" or something similar.

Now, whenever I try to change the password using the passwd command, I get the following error:

LDAP password information update failed: Constraint violation
within password minimum age
passwd: Permission denied.

Any ideas on that?
Harry

Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine@xxxxxxx



From: Harry Devine/ACT/FAA@FAA
To: Rich Megginson <rmeggins@xxxxxxxxxx>
Cc: Ted Rush/ACT/FAA@FAA, "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Date: 01/07/2011 11:10 PM
Subject: Re: [389-users] Resetting user passwords
Sent by: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx





I'll try that on Monday when I'm back at work.  Is there any specific time formatted string I should use?  I saw some of the other attributes referring to time appear to have a value that looks like it starts with the year and ends with Z.

Thanks!
Harry

Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218

Harry.Devine@xxxxxxx

-----Rich Megginson <rmeggins@xxxxxxxxxx> wrote: -----

To: Harry Devine/ACT/FAA@FAA
From: Rich Megginson <rmeggins@xxxxxxxxxx>
Date: 01/07/2011 08:25PM
cc: "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>, Ted Rush/ACT/FAA@FAA
Subject: Re: [389-users] Resetting user passwords

On 01/07/2011 06:06 PM,
harry.devine@xxxxxxx wrote:
0
Looks like a bug.  Because we now use strict GeneralizedTime syntax with checking, you cannot input that value any more.  I suppose you could set it to the current time instead.

Harry


Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218

Harry.Devine@xxxxxxx

-----Rich Megginson <rmeggins@xxxxxxxxxx> wrote: -----

To: Harry Devine/ACT/FAA@FAA
From: Rich Megginson
<rmeggins@xxxxxxxxxx>
Date: 01/07/2011 04:31PM
cc: "General discussion list for the 389 Directory server project."
<389-users@xxxxxxxxxxxxxxxxxxxxxxx>, Ted Rush/ACT/FAA@FAA
Subject: Re: [389-users] Resetting user passwords

On 01/07/2011 02:22 PM,
harry.devine@xxxxxxx wrote:

Won't let me do it.  I get the following error:


Cannot save to directory server:

netscape.ldap.LDAPException: error result(21); passwordExpirationTime: value #0 invalid per syntax; Invalid Syntax.

What value did you use?

Thanks,

Harry


Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218

Harry.Devine@xxxxxxx

From: Rich Megginson <rmeggins@xxxxxxxxxx>
To: Harry Devine/ACT/FAA@FAA
Cc: "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>, Ted Rush/ACT/FAA@FAA
Date: 01/07/2011 04:10 PM
Subject: Re: [389-users] Resetting user passwords






On 01/07/2011 01:51 PM,
harry.devine@xxxxxxx wrote:

In the Directory Server GUI, under the Configuration tab, I have:


Passwords:

      Enable fine-grained password policy (checked)

      User Password Change:

              User must change password after reset (checked)

              User may change password (checked)

              Allow changes in 2 days

              Keep password history: Remember 5 passwords

      Password expiration:

              Password expires after 90 days

              Send warning 10 days before password expires

              Allow up to 1 login attempt(s) after password expires

      Password syntax:

              Check password syntax (unchecked)

      Password Encryption: SSHA

Account Lockout:

      Accounts may be locked out (checked)

      Password lockout

              Lockout account after 3 login failures

              Reset failure count after 10 minutes

              Lockout duration 30 minutes


In the Directory tab, I right-click on People, then select "Manage Password Policy" -> For subtree:


Passwords:

      Fine-grained subtree policy enabled (checked)

      User Password Change:

              User must change password after reset (checked)

              User may change password (checked)

              Allow changes in 2 days

              Keep password history: Remember 5 passwords

      Password expiration:

              Password expires after 90 days

              Send warning 10 days before password expires

              Allow up to 1 login attempt(s) after password expires

      Password syntax:

              Check password syntax (unchecked)

      Password Encryption: SSHA

Account Lockout:

      Accounts may be locked out (checked)

      Password lockout

              Lockout account after 3 login failures

              Reset failure count after 10 minutes

              Lockout duration 30 minutes


I don't have any specific user password policy at this time.  When I modify a user's password, I can log in from another PC via SSH as that user using the changed password, but I'm never told it has to be changed.

In the user's entry, when changing the password, also change the attribute passwordExpirationTime to 0.  This should trigger the reset password code.  Note that the attribute passwordExpirationTime is an operational attribute.


Thanks,

Harry


Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218

Harry.Devine@xxxxxxx
From: Rich Megginson <rmeggins@xxxxxxxxxx>
To: Harry Devine/ACT/FAA@FAA
Cc: "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>, Ted Rush/ACT/FAA@FAA
Date: 01/07/2011 03:37 PM
Subject: Re: [389-users] Resetting user passwords







On 01/07/2011 01:23 PM,
harry.devine@xxxxxxx wrote:

Nope.  Didn't work.  I edited the entry, put in another password, then login using the new password and never get prompted to change it.  I saw something online here:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords.  Section 13.1.1.5 says something about a bug in Directory Server.
Are you using per-user/per-subtree (i.e. Fine-Grained) password policy?  If not, then that section does not apply.

Can you post all of your password policy configuration?

Is that something that I should follow or is that doc outdated?


Thanks,

Harry


Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218

Harry.Devine@xxxxxxx
From: Rich Megginson <rmeggins@xxxxxxxxxx>
To: "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Cc: Harry Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA
Date: 01/07/2011 03:12 PM
Subject: Re: [389-users] Resetting user passwords








On 01/07/2011 01:02 PM,
harry.devine@xxxxxxx wrote:

In my 389-ds setup, I have a password policy in place where the user must change their password after a reset, they are allowed to change their password, and it expires after 90 days.  However, I cannot find where the Directory Manager can actually RESET a user's password.  The docs are very vague in this area IMO, so I'm sure I overlooked it.


Not sure, but you may be able to login as directory manager, edit the user's entry, and change the password to some bogus value.


Where do I go in the console to reset a particular user's password so they will be prompted to change it when they log in again?


Thanks,

Harry


Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218

Harry.Devine@xxxxxxx


--
389 users mailing list

389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users









--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux