I had it set to 2 days (the "allow changes in X days" setting). I set it to 0, logged in as that user, and got the exact same error.
Thanks,
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine@xxxxxxx
From: | Rob Crittenden <rcritten@xxxxxxxxxx>
|
To: | "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx> |
Cc: | Harry Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA, 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx |
Date: | 01/10/2011 10:18 AM |
Subject: | Re: [389-users] Resetting user passwords |
harry.devine@xxxxxxx wrote:
>
> I tried that (using a date/time string similar to
> passwordallowchangetime), and I was able to get the "your password will
> expire in 10 days" message when I log in. I guess I thought that there
> would have existed either a checkbox or a button similar to Active
> Directory where it says "Reset user password" or something similar.
>
> Now, whenever I try to change the password using the passwd command, I
> get the following error:
>
> LDAP password information update failed: Constraint violation
> within password minimum age
> passwd: Permission denied.
>
> Any ideas on that?
See if you have passwordMinAge set. This defines the minimum amount of
time that must pass before a password can be changed. This is generally
used in conjunction with password history (so a user doesn't repeatedly
change their password so they can re-use one once it gets pushed out of
history).
rob
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218
> Harry.Devine@xxxxxxx
>
>
> From: Harry Devine/ACT/FAA@FAA
> To: Rich Megginson <rmeggins@xxxxxxxxxx>
> Cc: Ted Rush/ACT/FAA@FAA, "General discussion list for the 389
> Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
> Date: 01/07/2011 11:10 PM
> Subject: Re: [389-users] Resetting user passwords
> Sent by: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx
>
>
> ------------------------------------------------------------------------
>
>
>
> I'll try that on Monday when I'm back at work. Is there any specific
> time formatted string I should use? I saw some of the other attributes
> referring to time appear to have a value that looks like it starts with
> the year and ends with Z.
>
> Thanks!
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx>
>
> -----Rich Megginson <rmeggins@xxxxxxxxxx> wrote: -----
>
> To: Harry Devine/ACT/FAA@FAA
> From: Rich Megginson <rmeggins@xxxxxxxxxx>
> Date: 01/07/2011 08:25PM
> cc: "General discussion list for the 389 Directory server project."
> <389-users@xxxxxxxxxxxxxxxxxxxxxxx>, Ted Rush/ACT/FAA@FAA
> Subject: Re: [389-users] Resetting user passwords
>
> On 01/07/2011 06:06 PM, _harry.devine@xxxxxxxx
> <mailto:harry.devine@xxxxxxx> wrote:
> 0
> Looks like a bug. Because we now use strict GeneralizedTime syntax with
> checking, you cannot input that value any more. I suppose you could set
> it to the current time instead.
>
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx>
>
> -----Rich Megginson _<rmeggins@xxxxxxxxxx>_ <mailto:rmeggins@xxxxxxxxxx>
> wrote: -----
>
> To: Harry Devine/ACT/FAA@FAA
> From: Rich Megginson _<rmeggins@xxxxxxxxxx>_ <mailto:rmeggins@xxxxxxxxxx>
> Date: 01/07/2011 04:31PM
> cc: "General discussion list for the 389 Directory server project."
> _<389-users@xxxxxxxxxxxxxxxxxxxxxxx>_
> <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>, Ted Rush/ACT/FAA@FAA
> Subject: Re: [389-users] Resetting user passwords
>
> On 01/07/2011 02:22 PM, _harry.devine@xxxxxxxx
> <mailto:harry.devine@xxxxxxx> wrote:
>
> Won't let me do it. I get the following error:
>
> Cannot save to directory server:
> netscape.ldap.LDAPException: error result(21); passwordExpirationTime:
> value #0 invalid per syntax; Invalid Syntax.
> What value did you use?
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx>
>
> From: Rich Megginson _<rmeggins@xxxxxxxxxx>_ <mailto:rmeggins@xxxxxxxxxx>
> To: Harry Devine/ACT/FAA@FAA
> Cc: "General discussion list for the 389 Directory server project."
> _<389-users@xxxxxxxxxxxxxxxxxxxxxxx>_
> <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>, Ted Rush/ACT/FAA@FAA
> Date: 01/07/2011 04:10 PM
> Subject: Re: [389-users] Resetting user passwords
>
>
>
> ------------------------------------------------------------------------
>
>
>
> On 01/07/2011 01:51 PM, _harry.devine@xxxxxxxx
> <mailto:harry.devine@xxxxxxx> wrote:
>
> In the Directory Server GUI, under the Configuration tab, I have:
>
> Passwords:
> Enable fine-grained password policy (checked)
> User Password Change:
> User must change password after reset (checked)
> User may change password (checked)
> Allow changes in 2 days
> Keep password history: Remember 5 passwords
> Password expiration:
> Password expires after 90 days
> Send warning 10 days before password expires
> Allow up to 1 login attempt(s) after password expires
> Password syntax:
> Check password syntax (unchecked)
> Password Encryption: SSHA
> Account Lockout:
> Accounts may be locked out (checked)
> Password lockout
> Lockout account after 3 login failures
> Reset failure count after 10 minutes
> Lockout duration 30 minutes
>
> In the Directory tab, I right-click on People, then select "Manage
> Password Policy" -> For subtree:
>
> Passwords:
> Fine-grained subtree policy enabled (checked)
> User Password Change:
> User must change password after reset (checked)
> User may change password (checked)
> Allow changes in 2 days
> Keep password history: Remember 5 passwords
> Password expiration:
> Password expires after 90 days
> Send warning 10 days before password expires
> Allow up to 1 login attempt(s) after password expires
> Password syntax:
> Check password syntax (unchecked)
> Password Encryption: SSHA
> Account Lockout:
> Accounts may be locked out (checked)
> Password lockout
> Lockout account after 3 login failures
> Reset failure count after 10 minutes
> Lockout duration 30 minutes
>
> I don't have any specific user password policy at this time. When I
> modify a user's password, I can log in from another PC via SSH as that
> user using the changed password, but I'm never told it has to be changed.
> In the user's entry, when changing the password, also change the
> attribute passwordExpirationTime to 0. This should trigger the reset
> password code. Note that the attribute passwordExpirationTime is an
> operational attribute.
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx>
> From: Rich Megginson _<rmeggins@xxxxxxxxxx>_ <mailto:rmeggins@xxxxxxxxxx>
> To: Harry Devine/ACT/FAA@FAA
> Cc: "General discussion list for the 389 Directory server project."
> _<389-users@xxxxxxxxxxxxxxxxxxxxxxx>_
> <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>, Ted Rush/ACT/FAA@FAA
> Date: 01/07/2011 03:37 PM
> Subject: Re: [389-users] Resetting user passwords
>
>
>
>
> ------------------------------------------------------------------------
>
>
>
> On 01/07/2011 01:23 PM, _harry.devine@xxxxxxxx
> <mailto:harry.devine@xxxxxxx> wrote:
>
> Nope. Didn't work. I edited the entry, put in another password, then
> login using the new password and never get prompted to change it. I saw
> something online here:
> _http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords_.
> Section 13.1.1.5 says something about a bug in Directory Server.
> Are you using per-user/per-subtree (i.e. Fine-Grained) password policy?
> If not, then that section does not apply.
>
> Can you post all of your password policy configuration?
> Is that something that I should follow or is that doc outdated?
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx>
> From: Rich Megginson _<rmeggins@xxxxxxxxxx>_ <mailto:rmeggins@xxxxxxxxxx>
> To: "General discussion list for the 389 Directory server project."
> _<389-users@xxxxxxxxxxxxxxxxxxxxxxx>_
> <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>
> Cc: Harry Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA
> Date: 01/07/2011 03:12 PM
> Subject: Re: [389-users] Resetting user passwords
>
>
>
>
>
> ------------------------------------------------------------------------
>
>
>
> On 01/07/2011 01:02 PM, _harry.devine@xxxxxxxx
> <mailto:harry.devine@xxxxxxx> wrote:
>
> In my 389-ds setup, I have a password policy in place where the user
> must change their password after a reset, they are allowed to change
> their password, and it expires after 90 days. However, I cannot find
> where the Directory Manager can actually RESET a user's password. The
> docs are very vague in this area IMO, so I'm sure I overlooked it.
>
> Not sure, but you may be able to login as directory manager, edit the
> user's entry, and change the password to some bogus value.
>
> Where do I go in the console to reset a particular user's password so
> they will be prompted to change it when they log in again?
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx>
>
>
> --
> 389 users mailing list_
> __389-users@xxxxxxxxxxxxxxxxxxxxxxxx
> <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>_
> __https://admin.fedoraproject.org/mailman/listinfo/389-users_
>
>
>
>
>
>
>
>
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users