<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 01/07/2011 06:06 PM, <a class="moz-txt-link-abbreviated" href="mailto:harry.devine@faa.gov">harry.devine@faa.gov</a> wrote:
<blockquote
cite="mid:OF13D0F1B1.57751461-ON85257812.00062225-85257812.0006222D@faa.gov"
type="cite"><font face="Default Sans
Serif,Verdana,Arial,Helvetica,sans-serif" size="2">0<br>
</font></blockquote>
Looks like a bug. Because we now use strict GeneralizedTime syntax
with checking, you cannot input that value any more. I suppose you
could set it to the current time instead.<br>
<blockquote
cite="mid:OF13D0F1B1.57751461-ON85257812.00062225-85257812.0006222D@faa.gov"
type="cite"><font face="Default Sans
Serif,Verdana,Arial,Helvetica,sans-serif" size="2"><br>
Harry<br>
<div><br>
</div>
<div>Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218<br>
<a moz-do-not-send="true" href="mailto:Harry.Devine@faa.gov">Harry.Devine@faa.gov</a><br>
<div><br>
</div>
<font color="#990099">-----Rich Megginson
<a class="moz-txt-link-rfc2396E" href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a> wrote: -----<br>
<br>
</font>
<blockquote style="padding-right: 0px; padding-left: 5px;
margin-left: 5px; border-left: 2px solid rgb(0, 0, 0);
margin-right: 0px;">To: Harry Devine/ACT/FAA@FAA<br>
From: Rich Megginson <a class="moz-txt-link-rfc2396E" href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a><br>
Date: 01/07/2011 04:31PM<br>
cc: "General discussion list for the 389 Directory server
project." <a class="moz-txt-link-rfc2396E" href="mailto:389-users@lists.fedoraproject.org"><389-users@lists.fedoraproject.org></a>, Ted
Rush/ACT/FAA@FAA<br>
Subject: Re: [389-users] Resetting user passwords<br>
<br>
<!--Notes ACF <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">-->
On 01/07/2011 02:22 PM, <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:harry.devine@faa.gov">harry.devine@faa.gov</a>
wrote:
<blockquote
cite="mid:OF73B10A88.4C2A1643-ON85257811.00755847-85257811.007573A8@faa.gov"
type="cite"> <br>
<font face="sans-serif" size="2">Won't let me do it. I
get the following error:</font> <br>
<br>
<font face="sans-serif" size="2">Cannot save to directory
server:</font> <br>
<font face="sans-serif" size="2">netscape.ldap.LDAPException:
error result(21); passwordExpirationTime: value #0
invalid per syntax; Invalid Syntax.</font> <br>
</blockquote>
What value did you use?<br>
<blockquote
cite="mid:OF73B10A88.4C2A1643-ON85257811.00755847-85257811.007573A8@faa.gov"
type="cite"> <br>
<font face="sans-serif" size="2">Thanks,</font> <br>
<font face="sans-serif" size="2">Harry</font> <br>
<br>
<font face="sans-serif" size="2">Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218<br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:Harry.Devine@faa.gov">Harry.Devine@faa.gov</a></font>
<br>
<br>
<br>
<table width="100%">
<tbody>
<tr valign="top">
<td><font face="sans-serif" color="#5f5f5f" size="1">From:</font>
</td>
<td><font face="sans-serif" size="1">Rich Megginson
<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a></font>
<br>
</td>
</tr>
<tr valign="top">
<td><font face="sans-serif" color="#5f5f5f" size="1">To:</font>
</td>
<td><font face="sans-serif" size="1">Harry
Devine/ACT/FAA@FAA</font> </td>
</tr>
<tr>
<td valign="top"><font face="sans-serif"
color="#5f5f5f" size="1">Cc:</font> </td>
<td><font face="sans-serif" size="1">"General
discussion list for the 389 Directory server
project." <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:389-users@lists.fedoraproject.org"><389-users@lists.fedoraproject.org></a>,
Ted Rush/ACT/FAA@FAA</font> </td>
</tr>
<tr valign="top">
<td><font face="sans-serif" color="#5f5f5f" size="1">Date:</font>
</td>
<td><font face="sans-serif" size="1">01/07/2011
04:10 PM</font> </td>
</tr>
<tr valign="top">
<td><font face="sans-serif" color="#5f5f5f" size="1">Subject:</font>
</td>
<td><font face="sans-serif" size="1">Re: [389-users]
Resetting user passwords</font></td>
</tr>
</tbody>
</table>
<br>
<hr noshade="noshade"> <br>
<br>
<br>
<font size="3">On 01/07/2011 01:51 PM, </font><a
moz-do-not-send="true"
href="mailto:harry.devine@faa.gov"><font color="blue"
size="3"><u>harry.devine@faa.gov</u></font></a><font
size="3"> wrote: </font> <br>
<font face="sans-serif" size="2"><br>
In the Directory Server GUI, under the Configuration
tab, I have:</font><font size="3"> <br>
</font><font face="sans-serif" size="2"><br>
Passwords:</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Enable fine-grained password policy (checked)</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
User Password Change:</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
User must change password after reset
(checked)</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
User may change password (checked)</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
Allow changes in 2 days</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
Keep password history: Remember 5
passwords</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Password expiration:</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Password expires after 90 days</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
Send warning 10 days before password
expires</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Allow up to 1 login attempt(s) after
password expires</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Password syntax:</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Check password syntax (unchecked)</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
Password Encryption: SSHA</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Account Lockout:</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Accounts may be locked out (checked)</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
Password lockout</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Lockout account after 3 login failures</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
Reset failure count after 10 minutes</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
Lockout duration 30 minutes</font><font
size="3"> <br>
</font><font face="sans-serif" size="2"><br>
In the Directory tab, I right-click on People, then
select "Manage Password Policy" -> For subtree:</font><font
size="3"> <br>
</font><font face="sans-serif" size="2"><br>
Passwords:</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Fine-grained subtree policy enabled (checked)</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
User Password Change:</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
User must change password after reset
(checked)</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
User may change password (checked)</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
Allow changes in 2 days</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
Keep password history: Remember 5
passwords</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Password expiration:</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Password expires after 90 days</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
Send warning 10 days before password
expires</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Allow up to 1 login attempt(s) after
password expires</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Password syntax:</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Check password syntax (unchecked)</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
Password Encryption: SSHA</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Account Lockout:</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Accounts may be locked out (checked)</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
Password lockout</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Lockout account after 3 login failures</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
Reset failure count after 10 minutes</font><font
size="3"> </font><font face="sans-serif" size="2"><br>
Lockout duration 30 minutes</font><font
size="3"> <br>
</font><font face="sans-serif" size="2"><br>
I don't have any specific user password policy at this
time. When I modify a user's password, I can log in
from another PC via SSH as that user using the changed
password, but I'm never told it has to be changed.</font><font
size="3"> </font> <br>
<font size="3">In the user's entry, when changing the
password, also change the attribute
passwordExpirationTime to 0. This should trigger the
reset password code. Note that the attribute
passwordExpirationTime is an operational attribute.</font>
<br>
<font face="sans-serif" size="2"><br>
Thanks,</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Harry</font><font size="3"> <br>
</font><font face="sans-serif" size="2"><br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font face="sans-serif" color="blue"
size="2"><u><br>
</u></font><a moz-do-not-send="true"
href="mailto:Harry.Devine@faa.gov"><font
face="sans-serif" color="blue" size="2"><u>Harry.Devine@faa.gov</u></font></a><font
size="3"> <br>
<br>
</font>
<table width="100%">
<tbody>
<tr valign="top">
<td width="7%"><font face="sans-serif"
color="#5f5f5f" size="1">From:</font><font
size="3"> </font> </td>
<td width="92%"><font face="sans-serif" size="1">Rich
Megginson </font><a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com"><font
face="sans-serif" color="blue" size="1"><u><rmeggins@redhat.com></u></font></a><font
size="3"> </font> </td>
</tr>
<tr valign="top">
<td><font face="sans-serif" color="#5f5f5f" size="1">To:</font><font
size="3"> </font> </td>
<td><font face="sans-serif" size="1">Harry
Devine/ACT/FAA@FAA</font><font size="3"> </font>
</td>
</tr>
<tr>
<td valign="top"><font face="sans-serif"
color="#5f5f5f" size="1">Cc:</font><font
size="3"> </font> </td>
<td><font face="sans-serif" size="1">"General
discussion list for the 389 Directory server
project." </font><a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org"><font
face="sans-serif" color="blue" size="1"><u><389-users@lists.fedoraproject.org></u></font></a><font
face="sans-serif" size="1">, Ted
Rush/ACT/FAA@FAA</font><font size="3"> </font>
</td>
</tr>
<tr valign="top">
<td><font face="sans-serif" color="#5f5f5f" size="1">Date:</font><font
size="3"> </font> </td>
<td><font face="sans-serif" size="1">01/07/2011
03:37 PM</font><font size="3"> </font> </td>
</tr>
<tr valign="top">
<td><font face="sans-serif" color="#5f5f5f" size="1">Subject:</font><font
size="3"> </font> </td>
<td><font face="sans-serif" size="1">Re: [389-users]
Resetting user passwords</font></td>
</tr>
</tbody>
</table>
<br>
<font size="3"><br>
</font>
<hr noshade="noshade"><font size="3"><br>
<br>
<br>
On 01/07/2011 01:23 PM, </font><a
moz-do-not-send="true"
href="mailto:harry.devine@faa.gov"><font color="blue"
size="3"><u>harry.devine@faa.gov</u></font></a><font
size="3"> wrote: </font><font face="sans-serif"
size="2"><br>
<br>
Nope. Didn't work. I edited the entry, put in another
password, then login using the new password and never
get prompted to change it. I saw something online here:
</font><a moz-do-not-send="true"
href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords"><font
face="sans-serif" color="blue" size="2"><u>http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords</u></font></a><font
face="sans-serif" size="2">. Section 13.1.1.5 says
something about a bug in Directory Server.</font><font
size="3"> <br>
Are you using per-user/per-subtree (i.e. Fine-Grained)
password policy? If not, then that section does not
apply.<br>
<br>
Can you post all of your password policy configuration?
</font><font face="sans-serif" size="2"><br>
Is that something that I should follow or is that doc
outdated?</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
<br>
Thanks,</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Harry</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
<br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font color="blue" size="3"><u><br>
</u></font><a moz-do-not-send="true"
href="mailto:Harry.Devine@faa.gov"><font
face="sans-serif" color="blue" size="2"><u>Harry.Devine@faa.gov</u></font></a><font
size="3"> <br>
</font>
<table width="100%">
<tbody>
<tr valign="top">
<td width="9%"><font face="sans-serif"
color="#5f5f5f" size="1">From:</font><font
size="3"> </font> </td>
<td width="90%"><font face="sans-serif" size="1">Rich
Megginson </font><a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com"><font
face="sans-serif" color="blue" size="1"><u><rmeggins@redhat.com></u></font></a><font
size="3"> </font> </td>
</tr>
<tr valign="top">
<td><font face="sans-serif" color="#5f5f5f" size="1">To:</font><font
size="3"> </font> </td>
<td><font face="sans-serif" size="1">"General
discussion list for the 389 Directory server
project." </font><a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org"><font
face="sans-serif" color="blue" size="1"><u><389-users@lists.fedoraproject.org></u></font></a><font
size="3"> </font> </td>
</tr>
<tr>
<td valign="top"><font face="sans-serif"
color="#5f5f5f" size="1">Cc:</font><font
size="3"> </font> </td>
<td><font face="sans-serif" size="1">Harry
Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA</font><font
size="3"> </font> </td>
</tr>
<tr valign="top">
<td><font face="sans-serif" color="#5f5f5f" size="1">Date:</font><font
size="3"> </font> </td>
<td><font face="sans-serif" size="1">01/07/2011
03:12 PM</font><font size="3"> </font> </td>
</tr>
<tr valign="top">
<td><font face="sans-serif" color="#5f5f5f" size="1">Subject:</font><font
size="3"> </font> </td>
<td><font face="sans-serif" size="1">Re: [389-users]
Resetting user passwords</font></td>
</tr>
</tbody>
</table>
<br>
<font size="3"><br>
<br>
</font>
<hr noshade="noshade"><font size="3"><br>
<br>
<br>
On 01/07/2011 01:02 PM, </font><a
moz-do-not-send="true"
href="mailto:harry.devine@faa.gov"><font color="blue"
size="3"><u>harry.devine@faa.gov</u></font></a><font
size="3"> wrote: </font><font face="sans-serif"
size="2"><br>
<br>
In my 389-ds setup, I have a password policy in place
where the user must change their password after a reset,
they are allowed to change their password, and it
expires after 90 days. However, I cannot find where the
Directory Manager can actually RESET a user's password.
The docs are very vague in this area IMO, so I'm sure I
overlooked it.</font><font size="3"> <br>
<br>
Not sure, but you may be able to login as directory
manager, edit the user's entry, and change the password
to some bogus value. </font><font face="sans-serif"
size="2"><br>
<br>
Where do I go in the console to reset a particular
user's password so they will be prompted to change it
when they log in again?</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
<br>
Thanks,</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Harry</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
<br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font color="blue" size="3"><u><br>
</u></font><a moz-do-not-send="true"
href="mailto:Harry.Devine@faa.gov"><font
face="sans-serif" color="blue" size="2"><u>Harry.Devine@faa.gov</u></font></a><font
size="3"> </font><tt><font face="Courier
New,Courier,monospace" size="3"><br>
<br>
<br>
--<br>
389 users mailing list</font></tt><font color="blue"
size="3"><u><br>
</u></font><a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org"><tt><font
face="Courier New,Courier,monospace" color="blue"
size="3"><u>389-users@lists.fedoraproject.org</u></font></tt></a><font
color="blue" size="3"><u><br>
</u></font><a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"><tt><font
face="Courier New,Courier,monospace" color="blue"
size="3"><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></tt></a><font
size="3"> <br>
<br>
<br>
<br>
</font> <br>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</div>
</font></blockquote>
<br>
</body>
</html>