harry.devine@xxxxxxx wrote: > > I tried that (using a date/time string similar to > passwordallowchangetime), and I was able to get the "your password will > expire in 10 days" message when I log in. I guess I thought that there > would have existed either a checkbox or a button similar to Active > Directory where it says "Reset user password" or something similar. > > Now, whenever I try to change the password using the passwd command, I > get the following error: > > LDAP password information update failed: Constraint violation > within password minimum age > passwd: Permission denied. > > Any ideas on that? See if you have passwordMinAge set. This defines the minimum amount of time that must pass before a password can be changed. This is generally used in conjunction with password history (so a user doesn't repeatedly change their password so they can re-use one once it gets pushed out of history). rob > Harry > > Harry Devine > Common ARTS Software Development > AJT-144 > (609)485-4218 > Harry.Devine@xxxxxxx > > > From: Harry Devine/ACT/FAA@FAA > To: Rich Megginson <rmeggins@xxxxxxxxxx> > Cc: Ted Rush/ACT/FAA@FAA, "General discussion list for the 389 > Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx> > Date: 01/07/2011 11:10 PM > Subject: Re: [389-users] Resetting user passwords > Sent by: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx > > > ------------------------------------------------------------------------ > > > > I'll try that on Monday when I'm back at work. Is there any specific > time formatted string I should use? I saw some of the other attributes > referring to time appear to have a value that looks like it starts with > the year and ends with Z. > > Thanks! > Harry > > Harry Devine > Common ARTS Software Development > AJT-144 > (609)485-4218_ > __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx> > > -----Rich Megginson <rmeggins@xxxxxxxxxx> wrote: ----- > > To: Harry Devine/ACT/FAA@FAA > From: Rich Megginson <rmeggins@xxxxxxxxxx> > Date: 01/07/2011 08:25PM > cc: "General discussion list for the 389 Directory server project." > <389-users@xxxxxxxxxxxxxxxxxxxxxxx>, Ted Rush/ACT/FAA@FAA > Subject: Re: [389-users] Resetting user passwords > > On 01/07/2011 06:06 PM, _harry.devine@xxxxxxxx > <mailto:harry.devine@xxxxxxx> wrote: > 0 > Looks like a bug. Because we now use strict GeneralizedTime syntax with > checking, you cannot input that value any more. I suppose you could set > it to the current time instead. > > Harry > > Harry Devine > Common ARTS Software Development > AJT-144 > (609)485-4218_ > __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx> > > -----Rich Megginson _<rmeggins@xxxxxxxxxx>_ <mailto:rmeggins@xxxxxxxxxx> > wrote: ----- > > To: Harry Devine/ACT/FAA@FAA > From: Rich Megginson _<rmeggins@xxxxxxxxxx>_ <mailto:rmeggins@xxxxxxxxxx> > Date: 01/07/2011 04:31PM > cc: "General discussion list for the 389 Directory server project." > _<389-users@xxxxxxxxxxxxxxxxxxxxxxx>_ > <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>, Ted Rush/ACT/FAA@FAA > Subject: Re: [389-users] Resetting user passwords > > On 01/07/2011 02:22 PM, _harry.devine@xxxxxxxx > <mailto:harry.devine@xxxxxxx> wrote: > > Won't let me do it. I get the following error: > > Cannot save to directory server: > netscape.ldap.LDAPException: error result(21); passwordExpirationTime: > value #0 invalid per syntax; Invalid Syntax. > What value did you use? > > Thanks, > Harry > > Harry Devine > Common ARTS Software Development > AJT-144 > (609)485-4218_ > __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx> > > From: Rich Megginson _<rmeggins@xxxxxxxxxx>_ <mailto:rmeggins@xxxxxxxxxx> > To: Harry Devine/ACT/FAA@FAA > Cc: "General discussion list for the 389 Directory server project." > _<389-users@xxxxxxxxxxxxxxxxxxxxxxx>_ > <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>, Ted Rush/ACT/FAA@FAA > Date: 01/07/2011 04:10 PM > Subject: Re: [389-users] Resetting user passwords > > > > ------------------------------------------------------------------------ > > > > On 01/07/2011 01:51 PM, _harry.devine@xxxxxxxx > <mailto:harry.devine@xxxxxxx> wrote: > > In the Directory Server GUI, under the Configuration tab, I have: > > Passwords: > Enable fine-grained password policy (checked) > User Password Change: > User must change password after reset (checked) > User may change password (checked) > Allow changes in 2 days > Keep password history: Remember 5 passwords > Password expiration: > Password expires after 90 days > Send warning 10 days before password expires > Allow up to 1 login attempt(s) after password expires > Password syntax: > Check password syntax (unchecked) > Password Encryption: SSHA > Account Lockout: > Accounts may be locked out (checked) > Password lockout > Lockout account after 3 login failures > Reset failure count after 10 minutes > Lockout duration 30 minutes > > In the Directory tab, I right-click on People, then select "Manage > Password Policy" -> For subtree: > > Passwords: > Fine-grained subtree policy enabled (checked) > User Password Change: > User must change password after reset (checked) > User may change password (checked) > Allow changes in 2 days > Keep password history: Remember 5 passwords > Password expiration: > Password expires after 90 days > Send warning 10 days before password expires > Allow up to 1 login attempt(s) after password expires > Password syntax: > Check password syntax (unchecked) > Password Encryption: SSHA > Account Lockout: > Accounts may be locked out (checked) > Password lockout > Lockout account after 3 login failures > Reset failure count after 10 minutes > Lockout duration 30 minutes > > I don't have any specific user password policy at this time. When I > modify a user's password, I can log in from another PC via SSH as that > user using the changed password, but I'm never told it has to be changed. > In the user's entry, when changing the password, also change the > attribute passwordExpirationTime to 0. This should trigger the reset > password code. Note that the attribute passwordExpirationTime is an > operational attribute. > > Thanks, > Harry > > Harry Devine > Common ARTS Software Development > AJT-144 > (609)485-4218_ > __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx> > From: Rich Megginson _<rmeggins@xxxxxxxxxx>_ <mailto:rmeggins@xxxxxxxxxx> > To: Harry Devine/ACT/FAA@FAA > Cc: "General discussion list for the 389 Directory server project." > _<389-users@xxxxxxxxxxxxxxxxxxxxxxx>_ > <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>, Ted Rush/ACT/FAA@FAA > Date: 01/07/2011 03:37 PM > Subject: Re: [389-users] Resetting user passwords > > > > > ------------------------------------------------------------------------ > > > > On 01/07/2011 01:23 PM, _harry.devine@xxxxxxxx > <mailto:harry.devine@xxxxxxx> wrote: > > Nope. Didn't work. I edited the entry, put in another password, then > login using the new password and never get prompted to change it. I saw > something online here: > _http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords_. > Section 13.1.1.5 says something about a bug in Directory Server. > Are you using per-user/per-subtree (i.e. Fine-Grained) password policy? > If not, then that section does not apply. > > Can you post all of your password policy configuration? > Is that something that I should follow or is that doc outdated? > > Thanks, > Harry > > Harry Devine > Common ARTS Software Development > AJT-144 > (609)485-4218_ > __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx> > From: Rich Megginson _<rmeggins@xxxxxxxxxx>_ <mailto:rmeggins@xxxxxxxxxx> > To: "General discussion list for the 389 Directory server project." > _<389-users@xxxxxxxxxxxxxxxxxxxxxxx>_ > <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx> > Cc: Harry Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA > Date: 01/07/2011 03:12 PM > Subject: Re: [389-users] Resetting user passwords > > > > > > ------------------------------------------------------------------------ > > > > On 01/07/2011 01:02 PM, _harry.devine@xxxxxxxx > <mailto:harry.devine@xxxxxxx> wrote: > > In my 389-ds setup, I have a password policy in place where the user > must change their password after a reset, they are allowed to change > their password, and it expires after 90 days. However, I cannot find > where the Directory Manager can actually RESET a user's password. The > docs are very vague in this area IMO, so I'm sure I overlooked it. > > Not sure, but you may be able to login as directory manager, edit the > user's entry, and change the password to some bogus value. > > Where do I go in the console to reset a particular user's password so > they will be prompted to change it when they log in again? > > Thanks, > Harry > > Harry Devine > Common ARTS Software Development > AJT-144 > (609)485-4218_ > __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx> > > > -- > 389 users mailing list_ > __389-users@xxxxxxxxxxxxxxxxxxxxxxxx > <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>_ > __https://admin.fedoraproject.org/mailman/listinfo/389-users_ > > > > > > > > > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users > > > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
