<br><font size=2 face="sans-serif">I tried that (using a date/time string
similar to passwordallowchangetime), and I was able to get the "your
password will expire in 10 days" message when I log in. I guess
I thought that there would have existed either a checkbox or a button similar
to Active Directory where it says "Reset user password" or something
similar. </font>
<br>
<br><font size=2 face="sans-serif">Now, whenever I try to change the password
using the passwd command, I get the following error:</font>
<br>
<br><font size=2 face="sans-serif">LDAP password information update failed:
Constraint violation</font>
<br><font size=2 face="sans-serif">within password minimum age</font>
<br><font size=2 face="sans-serif">passwd: Permission denied.</font>
<br>
<br><font size=2 face="sans-serif">Any ideas on that?</font>
<br><font size=2 face="sans-serif">Harry</font>
<br>
<br><font size=2 face="sans-serif">Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218<br>
Harry.Devine@faa.gov</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">From:</font>
<td><font size=1 face="sans-serif">Harry Devine/ACT/FAA@FAA</font>
<br>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font>
<td><font size=1 face="sans-serif">Rich Megginson <rmeggins@redhat.com></font>
<tr>
<td valign=top><font size=1 color=#5f5f5f face="sans-serif">Cc:</font>
<td><font size=1 face="sans-serif">Ted Rush/ACT/FAA@FAA, "General
discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org></font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font>
<td><font size=1 face="sans-serif">01/07/2011 11:10 PM</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font>
<td><font size=1 face="sans-serif">Re: [389-users] Resetting user passwords</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Sent by:</font>
<td><font size=1 face="sans-serif">389-users-bounces@lists.fedoraproject.org</font></table>
<br>
<hr noshade>
<br>
<br>
<br><font size=2 face="sans-serif">I'll try that on Monday when I'm back
at work. Is there any specific time formatted string I should use?
I saw some of the other attributes referring to time appear to have
a value that looks like it starts with the year and ends with Z.<br>
<br>
Thanks!<br>
Harry<br>
</font>
<br><font size=2 face="sans-serif">Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font size=2 color=blue face="sans-serif"><u><br>
</u></font><a href=mailto:Harry.Devine@faa.gov><font size=2 color=blue face="sans-serif"><u>Harry.Devine@faa.gov</u></font></a>
<br>
<br><font size=2 color=#a1009f face="sans-serif">-----Rich Megginson <rmeggins@redhat.com>
wrote: -----<br>
</font>
<br><font size=2 face="sans-serif">To: Harry Devine/ACT/FAA@FAA<br>
From: Rich Megginson <rmeggins@redhat.com><br>
Date: 01/07/2011 08:25PM<br>
cc: "General discussion list for the 389 Directory server project."
<389-users@lists.fedoraproject.org>, Ted Rush/ACT/FAA@FAA<br>
Subject: Re: [389-users] Resetting user passwords<br>
<br>
On 01/07/2011 06:06 PM, </font><a href=mailto:harry.devine@faa.gov><font size=2 color=blue face="sans-serif"><u>harry.devine@faa.gov</u></font></a><font size=2 face="sans-serif">
wrote: </font>
<br><font size=2 face="Verdana">0</font>
<br><font size=2 face="sans-serif">Looks like a bug. Because we now
use strict GeneralizedTime syntax with checking, you cannot input that
value any more. I suppose you could set it to the current time instead.</font>
<br><font size=2 face="Verdana"><br>
Harry</font>
<br>
<br><font size=2 face="Verdana">Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font size=2 color=blue face="Verdana"><u><br>
</u></font><a href=mailto:Harry.Devine@faa.gov><font size=2 color=blue face="Verdana"><u>Harry.Devine@faa.gov</u></font></a>
<br>
<br><font size=2 color=#a1009f face="Verdana">-----Rich Megginson </font><a href=mailto:rmeggins@redhat.com><font size=2 color=blue face="Verdana"><u><rmeggins@redhat.com></u></font></a><font size=2 color=#a1009f face="Verdana">
wrote: -----<br>
</font>
<br><font size=2 face="Verdana">To: Harry Devine/ACT/FAA@FAA<br>
From: Rich Megginson </font><a href=mailto:rmeggins@redhat.com><font size=2 color=blue face="Verdana"><u><rmeggins@redhat.com></u></font></a><font size=2 face="Verdana"><br>
Date: 01/07/2011 04:31PM<br>
cc: "General discussion list for the 389 Directory server project."
</font><a href="mailto:389-users@lists.fedoraproject.org"><font size=2 color=blue face="Verdana"><u><389-users@lists.fedoraproject.org></u></font></a><font size=2 face="Verdana">,
Ted Rush/ACT/FAA@FAA<br>
Subject: Re: [389-users] Resetting user passwords<br>
<br>
On 01/07/2011 02:22 PM, </font><a href=mailto:harry.devine@faa.gov><font size=2 color=blue face="Verdana"><u>harry.devine@faa.gov</u></font></a><font size=2 face="Verdana">
wrote: </font>
<br><font size=2 face="sans-serif"><br>
Won't let me do it. I get the following error:</font><font size=2 face="Verdana">
<br>
</font><font size=2 face="sans-serif"><br>
Cannot save to directory server:</font><font size=2 face="Verdana"> </font><font size=2 face="sans-serif"><br>
netscape.ldap.LDAPException: error result(21); passwordExpirationTime:
value #0 invalid per syntax; Invalid Syntax.</font><font size=2 face="Verdana">
</font>
<br><font size=2 face="Verdana">What value did you use?</font>
<br><font size=2 face="sans-serif"><br>
Thanks,</font><font size=2 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Harry</font><font size=2 face="Verdana"> <br>
</font><font size=2 face="sans-serif"><br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font size=2 color=blue face="sans-serif"><u><br>
</u></font><a href=mailto:Harry.Devine@faa.gov><font size=2 color=blue face="sans-serif"><u>Harry.Devine@faa.gov</u></font></a><font size=2 face="Verdana">
<br>
<br>
</font>
<table width=100%>
<tr valign=top>
<td width=7%><font size=1 color=#5f5f5f face="sans-serif">From:</font><font size=3>
</font>
<td width=92%><font size=1 face="sans-serif">Rich Megginson </font><a href=mailto:rmeggins@redhat.com><font size=1 color=blue face="sans-serif"><u><rmeggins@redhat.com></u></font></a><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">Harry Devine/ACT/FAA@FAA</font><font size=3>
</font>
<tr>
<td valign=top><font size=1 color=#5f5f5f face="sans-serif">Cc:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">"General discussion list for the
389 Directory server project." </font><a href="mailto:389-users@lists.fedoraproject.org"><font size=1 color=blue face="sans-serif"><u><389-users@lists.fedoraproject.org></u></font></a><font size=1 face="sans-serif">,
Ted Rush/ACT/FAA@FAA</font><font size=3> </font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">01/07/2011 04:10 PM</font><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">Re: [389-users] Resetting user passwords</font></table>
<br><font size=2 face="Verdana"><br>
</font>
<hr noshade><font size=2 face="Verdana"><br>
<br>
</font><font size=3 face="Verdana"><br>
On 01/07/2011 01:51 PM, </font><a href=mailto:harry.devine@faa.gov><font size=3 color=blue face="Verdana"><u>harry.devine@faa.gov</u></font></a><font size=3 face="Verdana">
wrote: </font><font size=2 face="sans-serif"><br>
<br>
In the Directory Server GUI, under the Configuration tab, I have:</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
<br>
Passwords:</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Enable fine-grained password policy (checked)</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
User Password Change:</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
User must change password
after reset (checked)</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
User may change password
(checked)</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Allow changes in 2 days</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
Keep password history:
Remember 5 passwords</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Password expiration:</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
Password expires after
90 days</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Send warning 10 days
before password expires</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Allow up to 1 login attempt(s)
after password expires</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Password syntax:</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
Check password syntax
(unchecked)</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Password Encryption: SSHA</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
Account Lockout:</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Accounts may be locked out (checked)</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
Password lockout</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
Lockout account after
3 login failures</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Reset failure count after
10 minutes</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Lockout duration 30 minutes</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
<br>
In the Directory tab, I right-click on People, then select "Manage
Password Policy" -> For subtree:</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
<br>
Passwords:</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Fine-grained subtree policy enabled (checked)</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
User Password Change:</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
User must change password
after reset (checked)</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
User may change password
(checked)</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Allow changes in 2 days</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
Keep password history:
Remember 5 passwords</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Password expiration:</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
Password expires after
90 days</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Send warning 10 days
before password expires</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Allow up to 1 login attempt(s)
after password expires</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Password syntax:</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
Check password syntax
(unchecked)</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Password Encryption: SSHA</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
Account Lockout:</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Accounts may be locked out (checked)</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
Password lockout</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
Lockout account after
3 login failures</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Reset failure count after
10 minutes</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Lockout duration 30 minutes</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
<br>
I don't have any specific user password policy at this time. When
I modify a user's password, I can log in from another PC via SSH as that
user using the changed password, but I'm never told it has to be changed.</font><font size=3 face="Verdana">
<br>
In the user's entry, when changing the password, also change the attribute
passwordExpirationTime to 0. This should trigger the reset password
code. Note that the attribute passwordExpirationTime is an operational
attribute.</font><font size=2 face="Verdana"> </font><font size=2 face="sans-serif"><br>
<br>
Thanks,</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Harry</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
<br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font size=2 color=blue face="Verdana"><u><br>
</u></font><a href=mailto:Harry.Devine@faa.gov><font size=2 color=blue face="sans-serif"><u>Harry.Devine@faa.gov</u></font></a><font size=3 face="Verdana">
<br>
</font>
<table width=100%>
<tr valign=top>
<td width=7%><font size=1 color=#5f5f5f face="sans-serif">From:</font><font size=3>
</font>
<td width=92%><font size=1 face="sans-serif">Rich Megginson </font><a href=mailto:rmeggins@redhat.com><font size=1 color=blue face="sans-serif"><u><rmeggins@redhat.com></u></font></a><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">Harry Devine/ACT/FAA@FAA</font><font size=3>
</font>
<tr>
<td valign=top><font size=1 color=#5f5f5f face="sans-serif">Cc:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">"General discussion list for the
389 Directory server project." </font><a href="mailto:389-users@lists.fedoraproject.org"><font size=1 color=blue face="sans-serif"><u><389-users@lists.fedoraproject.org></u></font></a><font size=1 face="sans-serif">,
Ted Rush/ACT/FAA@FAA</font><font size=3> </font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">01/07/2011 03:37 PM</font><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">Re: [389-users] Resetting user passwords</font></table>
<br><font size=3 face="Verdana"><br>
</font><font size=2 face="Verdana"><br>
</font>
<hr noshade><font size=3 face="Verdana"><br>
<br>
<br>
On 01/07/2011 01:23 PM, </font><a href=mailto:harry.devine@faa.gov><font size=3 color=blue face="Verdana"><u>harry.devine@faa.gov</u></font></a><font size=3 face="Verdana">
wrote: </font><font size=2 face="sans-serif"><br>
<br>
Nope. Didn't work. I edited the entry, put in another password,
then login using the new password and never get prompted to change it.
I saw something online here: </font><a href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords"><font size=2 color=blue face="sans-serif"><u>http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords</u></font></a><font size=2 face="sans-serif">.
Section 13.1.1.5 says something about a bug in Directory Server.</font><font size=3 face="Verdana">
<br>
Are you using per-user/per-subtree (i.e. Fine-Grained) password policy?
If not, then that section does not apply.<br>
<br>
Can you post all of your password policy configuration? </font><font size=2 face="sans-serif"><br>
Is that something that I should follow or is that doc outdated?</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
<br>
Thanks,</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Harry</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
<br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font size=2 color=blue face="Verdana"><u><br>
</u></font><a href=mailto:Harry.Devine@faa.gov><font size=2 color=blue face="sans-serif"><u>Harry.Devine@faa.gov</u></font></a><font size=3 face="Verdana">
</font>
<table width=100%>
<tr valign=top>
<td width=9%><font size=1 color=#5f5f5f face="sans-serif">From:</font><font size=3>
</font>
<td width=90%><font size=1 face="sans-serif">Rich Megginson </font><a href=mailto:rmeggins@redhat.com><font size=1 color=blue face="sans-serif"><u><rmeggins@redhat.com></u></font></a><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">"General discussion list for the
389 Directory server project." </font><a href="mailto:389-users@lists.fedoraproject.org"><font size=1 color=blue face="sans-serif"><u><389-users@lists.fedoraproject.org></u></font></a><font size=3>
</font>
<tr>
<td valign=top><font size=1 color=#5f5f5f face="sans-serif">Cc:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">Harry Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA</font><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">01/07/2011 03:12 PM</font><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">Re: [389-users] Resetting user passwords</font></table>
<br><font size=3 face="Verdana"><br>
<br>
</font><font size=2 face="Verdana"><br>
</font>
<hr noshade><font size=3 face="Verdana"><br>
<br>
<br>
On 01/07/2011 01:02 PM, </font><a href=mailto:harry.devine@faa.gov><font size=3 color=blue face="Verdana"><u>harry.devine@faa.gov</u></font></a><font size=3 face="Verdana">
wrote: </font><font size=2 face="sans-serif"><br>
<br>
In my 389-ds setup, I have a password policy in place where the user must
change their password after a reset, they are allowed to change their password,
and it expires after 90 days. However, I cannot find where the Directory
Manager can actually RESET a user's password. The docs are very vague
in this area IMO, so I'm sure I overlooked it.</font><font size=3 face="Verdana">
<br>
<br>
Not sure, but you may be able to login as directory manager, edit the user's
entry, and change the password to some bogus value. </font><font size=2 face="sans-serif"><br>
<br>
Where do I go in the console to reset a particular user's password so they
will be prompted to change it when they log in again?</font><font size=3 face="Verdana">
</font><font size=2 face="sans-serif"><br>
<br>
Thanks,</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
Harry</font><font size=3 face="Verdana"> </font><font size=2 face="sans-serif"><br>
<br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font size=2 color=blue face="Verdana"><u><br>
</u></font><a href=mailto:Harry.Devine@faa.gov><font size=2 color=blue face="sans-serif"><u>Harry.Devine@faa.gov</u></font></a><font size=3 face="Verdana">
</font><font size=3 face="Courier"><br>
<br>
<br>
--<br>
389 users mailing list</font><font size=2 color=blue face="Verdana"><u><br>
</u></font><a href="mailto:389-users@lists.fedoraproject.org"><font size=3 color=blue face="Courier New"><u>389-users@lists.fedoraproject.org</u></font></a><font size=2 color=blue face="Verdana"><u><br>
</u></font><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users"><font size=3 color=blue face="Courier New"><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></a><font size=3 face="Verdana">
<br>
<br>
<br>
</font><font size=2 face="Verdana"><br>
<br>
<br>
</font>
<br>
<br>
<br>
<br><tt><font size=2>--<br>
389 users mailing list<br>
389-users@lists.fedoraproject.org<br>
</font></tt><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users"><tt><font size=2>https://admin.fedoraproject.org/mailman/listinfo/389-users</font></tt></a>
<br>
<br>