<br><font size=2 face="sans-serif">Won't let me do it. I get the
following error:</font>
<br>
<br><font size=2 face="sans-serif">Cannot save to directory server:</font>
<br><font size=2 face="sans-serif">netscape.ldap.LDAPException: error result(21);
passwordExpirationTime: value #0 invalid per syntax; Invalid Syntax.</font>
<br>
<br><font size=2 face="sans-serif">Thanks,</font>
<br><font size=2 face="sans-serif">Harry</font>
<br>
<br><font size=2 face="sans-serif">Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218<br>
Harry.Devine@faa.gov</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">From:</font>
<td><font size=1 face="sans-serif">Rich Megginson <rmeggins@redhat.com></font>
<br>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font>
<td><font size=1 face="sans-serif">Harry Devine/ACT/FAA@FAA</font>
<tr>
<td valign=top><font size=1 color=#5f5f5f face="sans-serif">Cc:</font>
<td><font size=1 face="sans-serif">"General discussion list for the
389 Directory server project." <389-users@lists.fedoraproject.org>,
Ted Rush/ACT/FAA@FAA</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font>
<td><font size=1 face="sans-serif">01/07/2011 04:10 PM</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font>
<td><font size=1 face="sans-serif">Re: [389-users] Resetting user passwords</font></table>
<br>
<hr noshade>
<br>
<br>
<br><font size=3>On 01/07/2011 01:51 PM, </font><a href=mailto:harry.devine@faa.gov><font size=3 color=blue><u>harry.devine@faa.gov</u></font></a><font size=3>
wrote: </font>
<br><font size=2 face="sans-serif"><br>
In the Directory Server GUI, under the Configuration tab, I have:</font><font size=3>
<br>
</font><font size=2 face="sans-serif"><br>
Passwords:</font><font size=3> </font><font size=2 face="sans-serif"><br>
Enable fine-grained password policy (checked)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
User Password Change:</font><font size=3> </font><font size=2 face="sans-serif"><br>
User must change
password after reset (checked)</font><font size=3> </font><font size=2 face="sans-serif"><br>
User may change
password (checked)</font><font size=3> </font><font size=2 face="sans-serif"><br>
Allow changes in
2 days</font><font size=3> </font><font size=2 face="sans-serif"><br>
Keep password history:
Remember 5 passwords</font><font size=3> </font><font size=2 face="sans-serif"><br>
Password expiration:</font><font size=3> </font><font size=2 face="sans-serif"><br>
Password expires
after 90 days</font><font size=3> </font><font size=2 face="sans-serif"><br>
Send warning 10
days before password expires</font><font size=3> </font><font size=2 face="sans-serif"><br>
Allow up to 1 login
attempt(s) after password expires</font><font size=3> </font><font size=2 face="sans-serif"><br>
Password syntax:</font><font size=3> </font><font size=2 face="sans-serif"><br>
Check password
syntax (unchecked)</font><font size=3> </font><font size=2 face="sans-serif"><br>
Password Encryption: SSHA</font><font size=3>
</font><font size=2 face="sans-serif"><br>
Account Lockout:</font><font size=3> </font><font size=2 face="sans-serif"><br>
Accounts may be locked out (checked)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
Password lockout</font><font size=3> </font><font size=2 face="sans-serif"><br>
Lockout account
after 3 login failures</font><font size=3> </font><font size=2 face="sans-serif"><br>
Reset failure count
after 10 minutes</font><font size=3> </font><font size=2 face="sans-serif"><br>
Lockout duration
30 minutes</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
In the Directory tab, I right-click on People, then select "Manage
Password Policy" -> For subtree:</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
Passwords:</font><font size=3> </font><font size=2 face="sans-serif"><br>
Fine-grained subtree policy enabled (checked)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
User Password Change:</font><font size=3> </font><font size=2 face="sans-serif"><br>
User must change
password after reset (checked)</font><font size=3> </font><font size=2 face="sans-serif"><br>
User may change
password (checked)</font><font size=3> </font><font size=2 face="sans-serif"><br>
Allow changes in
2 days</font><font size=3> </font><font size=2 face="sans-serif"><br>
Keep password history:
Remember 5 passwords</font><font size=3> </font><font size=2 face="sans-serif"><br>
Password expiration:</font><font size=3> </font><font size=2 face="sans-serif"><br>
Password expires
after 90 days</font><font size=3> </font><font size=2 face="sans-serif"><br>
Send warning 10
days before password expires</font><font size=3> </font><font size=2 face="sans-serif"><br>
Allow up to 1 login
attempt(s) after password expires</font><font size=3> </font><font size=2 face="sans-serif"><br>
Password syntax:</font><font size=3> </font><font size=2 face="sans-serif"><br>
Check password
syntax (unchecked)</font><font size=3> </font><font size=2 face="sans-serif"><br>
Password Encryption: SSHA</font><font size=3>
</font><font size=2 face="sans-serif"><br>
Account Lockout:</font><font size=3> </font><font size=2 face="sans-serif"><br>
Accounts may be locked out (checked)</font><font size=3>
</font><font size=2 face="sans-serif"><br>
Password lockout</font><font size=3> </font><font size=2 face="sans-serif"><br>
Lockout account
after 3 login failures</font><font size=3> </font><font size=2 face="sans-serif"><br>
Reset failure count
after 10 minutes</font><font size=3> </font><font size=2 face="sans-serif"><br>
Lockout duration
30 minutes</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
I don't have any specific user password policy at this time. When
I modify a user's password, I can log in from another PC via SSH as that
user using the changed password, but I'm never told it has to be changed.</font><font size=3>
</font>
<br><font size=3>In the user's entry, when changing the password, also
change the attribute passwordExpirationTime to 0. This should trigger
the reset password code. Note that the attribute passwordExpirationTime
is an operational attribute.</font>
<br><font size=2 face="sans-serif"><br>
Thanks,</font><font size=3> </font><font size=2 face="sans-serif"><br>
Harry</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font size=2 color=blue face="sans-serif"><u><br>
</u></font><a href=mailto:Harry.Devine@faa.gov><font size=2 color=blue face="sans-serif"><u>Harry.Devine@faa.gov</u></font></a><font size=3>
<br>
<br>
</font>
<table width=100%>
<tr valign=top>
<td width=7%><font size=1 color=#5f5f5f face="sans-serif">From:</font><font size=3>
</font>
<td width=92%><font size=1 face="sans-serif">Rich Megginson </font><a href=mailto:rmeggins@redhat.com><font size=1 color=blue face="sans-serif"><u><rmeggins@redhat.com></u></font></a><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">Harry Devine/ACT/FAA@FAA</font><font size=3>
</font>
<tr>
<td valign=top><font size=1 color=#5f5f5f face="sans-serif">Cc:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">"General discussion list for the
389 Directory server project." </font><a href="mailto:389-users@lists.fedoraproject.org"><font size=1 color=blue face="sans-serif"><u><389-users@lists.fedoraproject.org></u></font></a><font size=1 face="sans-serif">,
Ted Rush/ACT/FAA@FAA</font><font size=3> </font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">01/07/2011 03:37 PM</font><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">Re: [389-users] Resetting user passwords</font></table>
<br><font size=3><br>
</font>
<hr noshade><font size=3><br>
<br>
<br>
On 01/07/2011 01:23 PM, </font><a href=mailto:harry.devine@faa.gov><font size=3 color=blue><u>harry.devine@faa.gov</u></font></a><font size=3>
wrote: </font><font size=2 face="sans-serif"><br>
<br>
Nope. Didn't work. I edited the entry, put in another password,
then login using the new password and never get prompted to change it.
I saw something online here: </font><a href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords"><font size=2 color=blue face="sans-serif"><u>http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords</u></font></a><font size=2 face="sans-serif">.
Section 13.1.1.5 says something about a bug in Directory Server.</font><font size=3>
<br>
Are you using per-user/per-subtree (i.e. Fine-Grained) password policy?
If not, then that section does not apply.<br>
<br>
Can you post all of your password policy configuration? </font><font size=2 face="sans-serif"><br>
Is that something that I should follow or is that doc outdated?</font><font size=3>
</font><font size=2 face="sans-serif"><br>
<br>
Thanks,</font><font size=3> </font><font size=2 face="sans-serif"><br>
Harry</font><font size=3> </font><font size=2 face="sans-serif"><br>
<br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font size=3 color=blue><u><br>
</u></font><a href=mailto:Harry.Devine@faa.gov><font size=2 color=blue face="sans-serif"><u>Harry.Devine@faa.gov</u></font></a><font size=3>
<br>
</font>
<table width=100%>
<tr valign=top>
<td width=9%><font size=1 color=#5f5f5f face="sans-serif">From:</font><font size=3>
</font>
<td width=90%><font size=1 face="sans-serif">Rich Megginson </font><a href=mailto:rmeggins@redhat.com><font size=1 color=blue face="sans-serif"><u><rmeggins@redhat.com></u></font></a><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">"General discussion list for the
389 Directory server project." </font><a href="mailto:389-users@lists.fedoraproject.org"><font size=1 color=blue face="sans-serif"><u><389-users@lists.fedoraproject.org></u></font></a><font size=3>
</font>
<tr>
<td valign=top><font size=1 color=#5f5f5f face="sans-serif">Cc:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">Harry Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA</font><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">01/07/2011 03:12 PM</font><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">Re: [389-users] Resetting user passwords</font></table>
<br><font size=3><br>
<br>
</font>
<hr noshade><font size=3><br>
<br>
<br>
On 01/07/2011 01:02 PM, </font><a href=mailto:harry.devine@faa.gov><font size=3 color=blue><u>harry.devine@faa.gov</u></font></a><font size=3>
wrote: </font><font size=2 face="sans-serif"><br>
<br>
In my 389-ds setup, I have a password policy in place where the user must
change their password after a reset, they are allowed to change their password,
and it expires after 90 days. However, I cannot find where the Directory
Manager can actually RESET a user's password. The docs are very vague
in this area IMO, so I'm sure I overlooked it.</font><font size=3> <br>
<br>
Not sure, but you may be able to login as directory manager, edit the user's
entry, and change the password to some bogus value. </font><font size=2 face="sans-serif"><br>
<br>
Where do I go in the console to reset a particular user's password so they
will be prompted to change it when they log in again?</font><font size=3>
</font><font size=2 face="sans-serif"><br>
<br>
Thanks,</font><font size=3> </font><font size=2 face="sans-serif"><br>
Harry</font><font size=3> </font><font size=2 face="sans-serif"><br>
<br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font size=3 color=blue><u><br>
</u></font><a href=mailto:Harry.Devine@faa.gov><font size=2 color=blue face="sans-serif"><u>Harry.Devine@faa.gov</u></font></a><font size=3>
</font><tt><font size=3><br>
<br>
<br>
--<br>
389 users mailing list</font></tt><font size=3 color=blue><u><br>
</u></font><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=3 color=blue><u>389-users@lists.fedoraproject.org</u></font></tt></a><font size=3 color=blue><u><br>
</u></font><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users"><tt><font size=3 color=blue><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></tt></a><font size=3>
<br>
<br>
<br>
<br>
</font>
<br>
<br>
<br>