harry.devine@xxxxxxx wrote:
I can get the
passwordexpirationtime
value, but I'm unsure what you mean by "set the password
expiration
to occur immediately". I'm coming from the Windows world, so
I'm used to the "User must change password at next logon"
checkbox.
I don't see that anywhere on the GUI, so I'm unclear how you
set
that.
Could this help ...?
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes
passwordMustChange When on,
this attribute requires users to change their passwords when they
first login to the directory or after the password is reset by the
Directory Manager. The user is required to change their password
even if user-defined passwords are disabled. If this attribute is
set to off, passwords assigned by the
Directory Manager should not follow any obvious convention and
should be difficult to discover. This attribute is off by default.
Also, how do I manipulate the
dates?
I get something similar to 20110122161029Z (for example) for
passwordexpirationtime.
How do I convert that to a proper date format? Also, I just
changed my account's password while testing, and I see that
passwordexpirationtime
got reset to 19700101000000Z. What does the 1970xxx value
represent?
Thanks,
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine@xxxxxxx
Most LDAP servers use a different schema than the
Microsoft
version and work from the opposite direction. Try querying
"passwordexpirationtime".
You can do a search for the specific password schema with the
following
info: 2.16.840.1.113730.3.2.12 passwordObject
I think it is more common to:
1. administratively set the password on a user account
2. set the password expiration to occur immediately.
3. set the passwordGraceUserTime for a time period that allows
the user
to log in solely to change their password.
However, you must explicitly program your site to gracefully
handle this
situation (condition where passwordexpirationtime < now <
passwordGraceUserTime)
, since the user's LDAP authentication attempt against the
directory will
fail (with an error indicating the password has expired).
On 01/21/2011 09:45 AM, harry.devine@xxxxxxx
wrote:
I am in the process of creating a web-based mechanism to allow
our users
to change their password on our new 389-ds server. I would like
to
display the date that their password is due to expire, and while
Googling
around, I see a lot of references to pwdLastSet, but about 95%
of the articles
are referring to Active Directory. I don't see pwdLastSet
amongst
the attributes in my default 389-ds setup. Is it there, or do I
have
to add that attribute to every account?
Also, I currently have my pages set up where, when the user logs
in, it
detects our 'default' password and forces them to change it. Is
there
some attribute in their account that I can set that I can key
off of and
force them to change their password when they login to my site?
Thanks for any tips!
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine@xxxxxxx
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
|
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
