On 01/10/2011 09:33 AM, harry.devine@xxxxxxx wrote:
Just did that, got the same
error. What
do I set passwordallowchange time to? I set it to a time value
that
would've been an hour ago since I got an error setting it to 0.
That sounds like the right value. I'm not sure what's going on -
could be a bug.
Thanks,
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine@xxxxxxx
On 01/10/2011 08:21 AM, harry.devine@xxxxxxx
wrote:
I had it set to 2 days (the "allow changes in X days" setting).
I set it to 0, logged in as that user, and got the exact same
error.
Did you set the global password policy setting or
the
per-subtree password policy setting?
You may have to also reset the passwordallowchangetime attribute
in the
user's entry - if you change the minage password policy setting,
it doesn't
change the passwordallowchangetime in each user's entry since
has already
been calculated previously.
Thanks,
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine@xxxxxxx
harry.devine@xxxxxxx
wrote:
>
> I tried that (using a date/time string similar to
> passwordallowchangetime), and I was able to get the "your
password
will
> expire in 10 days" message when I log in. I guess I
thought that
there
> would have existed either a checkbox or a button similar
to Active
> Directory where it says "Reset user password" or
something
similar.
>
> Now, whenever I try to change the password using the
passwd command,
I
> get the following error:
>
> LDAP password information update failed: Constraint
violation
> within password minimum age
> passwd: Permission denied.
>
> Any ideas on that?
See if you have passwordMinAge set. This defines the minimum
amount of
time that must pass before a password can be changed. This is
generally
used in conjunction with password history (so a user doesn't
repeatedly
change their password so they can re-use one once it gets
pushed out of
history).
rob
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218
> Harry.Devine@xxxxxxx
>
>
> From: Harry
Devine/ACT/FAA@FAA
> To: Rich
Megginson <rmeggins@xxxxxxxxxx>
> Cc: Ted
Rush/ACT/FAA@FAA, "General discussion list for the 389
> Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
> Date: 01/07/2011
11:10 PM
> Subject: Re:
[389-users] Resetting user passwords
> Sent by: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx
>
>
>
------------------------------------------------------------------------
>
>
>
> I'll try that on Monday when I'm back at work. Is there
any specific
> time formatted string I should use? I saw some of the
other attributes
> referring to time appear to have a value that looks like
it starts
with
> the year and ends with Z.
>
> Thanks!
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx>
>
> -----Rich Megginson <rmeggins@xxxxxxxxxx>
wrote: -----
>
> To: Harry Devine/ACT/FAA@FAA
> From: Rich Megginson <rmeggins@xxxxxxxxxx>
> Date: 01/07/2011 08:25PM
> cc: "General discussion list for the 389 Directory server
project."
> <389-users@xxxxxxxxxxxxxxxxxxxxxxx>,
Ted Rush/ACT/FAA@FAA
> Subject: Re: [389-users] Resetting user passwords
>
> On 01/07/2011 06:06 PM, _harry.devine@xxxxxxxx
> <mailto:harry.devine@xxxxxxx>
wrote:
> 0
> Looks like a bug. Because we now use strict
GeneralizedTime syntax
with
> checking, you cannot input that value any more. I suppose
you could
set
> it to the current time instead.
>
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx>
>
> -----Rich Megginson _<rmeggins@xxxxxxxxxx>_
<mailto:rmeggins@xxxxxxxxxx>
> wrote: -----
>
> To: Harry Devine/ACT/FAA@FAA
> From: Rich Megginson _<rmeggins@xxxxxxxxxx>_
<mailto:rmeggins@xxxxxxxxxx>
> Date: 01/07/2011 04:31PM
> cc: "General discussion list for the 389 Directory server
project."
> _<389-users@xxxxxxxxxxxxxxxxxxxxxxx>_
> <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>,
Ted Rush/ACT/FAA@FAA
> Subject: Re: [389-users] Resetting user passwords
>
> On 01/07/2011 02:22 PM, _harry.devine@xxxxxxxx
> <mailto:harry.devine@xxxxxxx>
wrote:
>
> Won't let me do it. I get the following error:
>
> Cannot save to directory server:
> netscape.ldap.LDAPException: error result(21);
passwordExpirationTime:
> value #0 invalid per syntax; Invalid Syntax.
> What value did you use?
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx>
>
> From: Rich
Megginson _<rmeggins@xxxxxxxxxx>_
<mailto:rmeggins@xxxxxxxxxx>
> To: Harry
Devine/ACT/FAA@FAA
> Cc: "General
discussion list for the 389 Directory server project."
> _<389-users@xxxxxxxxxxxxxxxxxxxxxxx>_
> <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>,
Ted Rush/ACT/FAA@FAA
> Date: 01/07/2011
04:10 PM
> Subject: Re:
[389-users] Resetting user passwords
>
>
>
>
------------------------------------------------------------------------
>
>
>
> On 01/07/2011 01:51 PM, _harry.devine@xxxxxxxx
> <mailto:harry.devine@xxxxxxx>
wrote:
>
> In the Directory Server GUI, under the Configuration tab,
I have:
>
> Passwords:
> Enable fine-grained password policy (checked)
> User Password Change:
> User must change password after reset (checked)
> User may change password (checked)
> Allow changes in 2 days
> Keep password history: Remember 5 passwords
> Password expiration:
> Password expires after 90 days
> Send warning 10 days before password expires
> Allow up to 1 login attempt(s) after password expires
> Password syntax:
> Check password syntax (unchecked)
> Password Encryption: SSHA
> Account Lockout:
> Accounts may be locked out (checked)
> Password lockout
> Lockout account after 3 login failures
> Reset failure count after 10 minutes
> Lockout duration 30 minutes
>
> In the Directory tab, I right-click on People, then
select "Manage
> Password Policy" -> For subtree:
>
> Passwords:
> Fine-grained subtree policy enabled (checked)
> User Password Change:
> User must change password after reset (checked)
> User may change password (checked)
> Allow changes in 2 days
> Keep password history: Remember 5 passwords
> Password expiration:
> Password expires after 90 days
> Send warning 10 days before password expires
> Allow up to 1 login attempt(s) after password expires
> Password syntax:
> Check password syntax (unchecked)
> Password Encryption: SSHA
> Account Lockout:
> Accounts may be locked out (checked)
> Password lockout
> Lockout account after 3 login failures
> Reset failure count after 10 minutes
> Lockout duration 30 minutes
>
> I don't have any specific user password policy at this
time. When
I
> modify a user's password, I can log in from another PC
via SSH as
that
> user using the changed password, but I'm never told it
has to be changed.
> In the user's entry, when changing the password, also
change the
> attribute passwordExpirationTime to 0. This should
trigger the reset
> password code. Note that the attribute
passwordExpirationTime is an
> operational attribute.
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx>
> From: Rich
Megginson _<rmeggins@xxxxxxxxxx>_
<mailto:rmeggins@xxxxxxxxxx>
> To: Harry
Devine/ACT/FAA@FAA
> Cc: "General
discussion list for the 389 Directory server project."
> _<389-users@xxxxxxxxxxxxxxxxxxxxxxx>_
> <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>,
Ted Rush/ACT/FAA@FAA
> Date: 01/07/2011
03:37 PM
> Subject: Re:
[389-users] Resetting user passwords
>
>
>
>
>
------------------------------------------------------------------------
>
>
>
> On 01/07/2011 01:23 PM, _harry.devine@xxxxxxxx
> <mailto:harry.devine@xxxxxxx>
wrote:
>
> Nope. Didn't work. I edited the entry, put in another
password, then
> login using the new password and never get prompted to
change it.
I saw
> something online here:
> _http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords_.
> Section 13.1.1.5 says something about a bug in Directory
Server.
> Are you using per-user/per-subtree (i.e. Fine-Grained)
password policy?
> If not, then that section does not apply.
>
> Can you post all of your password policy configuration?
> Is that something that I should follow or is that doc
outdated?
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx>
> From: Rich
Megginson _<rmeggins@xxxxxxxxxx>_
<mailto:rmeggins@xxxxxxxxxx>
> To: "General
discussion list for the 389 Directory server project."
> _<389-users@xxxxxxxxxxxxxxxxxxxxxxx>_
> <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>
> Cc: Harry
Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA
> Date: 01/07/2011
03:12 PM
> Subject: Re:
[389-users] Resetting user passwords
>
>
>
>
>
>
------------------------------------------------------------------------
>
>
>
> On 01/07/2011 01:02 PM, _harry.devine@xxxxxxxx
> <mailto:harry.devine@xxxxxxx>
wrote:
>
> In my 389-ds setup, I have a password policy in place
where the user
> must change their password after a reset, they are
allowed to change
> their password, and it expires after 90 days. However, I
cannot find
> where the Directory Manager can actually RESET a user's
password.
The
> docs are very vague in this area IMO, so I'm sure I
overlooked it.
>
> Not sure, but you may be able to login as directory
manager, edit
the
> user's entry, and change the password to some bogus
value.
>
> Where do I go in the console to reset a particular user's
password
so
> they will be prompted to change it when they log in
again?
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine@xxxxxxxx <mailto:Harry.Devine@xxxxxxx>
>
>
> --
> 389 users mailing list_
> __389-users@xxxxxxxxxxxxxxxxxxxxxxxx
> <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>_
> __https://admin.fedoraproject.org/mailman/listinfo/389-users_
>
>
>
>
>
>
>
>
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
|