<br><font size=2 face="sans-serif">Just did that, got the same error. What
do I set passwordallowchange time to? I set it to a time value that
would've been an hour ago since I got an error setting it to 0. </font>
<br>
<br><font size=2 face="sans-serif">Thanks,</font>
<br><font size=2 face="sans-serif">Harry</font>
<br>
<br><font size=2 face="sans-serif">Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218<br>
Harry.Devine@faa.gov</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">From:</font>
<td><font size=1 face="sans-serif">Rich Megginson <rmeggins@redhat.com></font>
<br>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font>
<td><font size=1 face="sans-serif">"General discussion list for the
389 Directory server project." <389-users@lists.fedoraproject.org></font>
<tr>
<td valign=top><font size=1 color=#5f5f5f face="sans-serif">Cc:</font>
<td><font size=1 face="sans-serif">Harry Devine/ACT/FAA@FAA, Rob Crittenden
<rcritten@redhat.com>, Ted Rush/ACT/FAA@FAA, 389-users-bounces@lists.fedoraproject.org</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font>
<td><font size=1 face="sans-serif">01/10/2011 11:19 AM</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font>
<td><font size=1 face="sans-serif">Re: [389-users] Resetting user passwords</font></table>
<br>
<hr noshade>
<br>
<br>
<br><font size=3>On 01/10/2011 08:21 AM, </font><a href=mailto:harry.devine@faa.gov><font size=3 color=blue><u>harry.devine@faa.gov</u></font></a><font size=3>
wrote: </font>
<br><font size=2 face="sans-serif"><br>
I had it set to 2 days (the "allow changes in X days" setting).
I set it to 0, logged in as that user, and got the exact same error.</font><font size=3>
</font>
<br><font size=3>Did you set the global password policy setting or the
per-subtree password policy setting?<br>
You may have to also reset the passwordallowchangetime attribute in the
user's entry - if you change the minage password policy setting, it doesn't
change the passwordallowchangetime in each user's entry since has already
been calculated previously.</font>
<br><font size=2 face="sans-serif"><br>
Thanks,</font><font size=3> </font><font size=2 face="sans-serif"><br>
Harry</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font size=2 color=blue face="sans-serif"><u><br>
</u></font><a href=mailto:Harry.Devine@faa.gov><font size=2 color=blue face="sans-serif"><u>Harry.Devine@faa.gov</u></font></a><font size=3>
<br>
<br>
</font>
<table width=100%>
<tr valign=top>
<td width=8%><font size=1 color=#5f5f5f face="sans-serif">From:</font><font size=3>
</font>
<td width=91%><font size=1 face="sans-serif">Rob Crittenden </font><a href=mailto:rcritten@redhat.com><font size=1 color=blue face="sans-serif"><u><rcritten@redhat.com></u></font></a><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">"General discussion list for the
389 Directory server project." </font><a href="mailto:389-users@lists.fedoraproject.org"><font size=1 color=blue face="sans-serif"><u><389-users@lists.fedoraproject.org></u></font></a><font size=3>
</font>
<tr>
<td valign=top><font size=1 color=#5f5f5f face="sans-serif">Cc:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">Harry Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA,
</font><a href="mailto:389-users-bounces@lists.fedoraproject.org"><font size=1 color=blue face="sans-serif"><u>389-users-bounces@lists.fedoraproject.org</u></font></a><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">01/10/2011 10:18 AM</font><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">Re: [389-users] Resetting user passwords</font></table>
<br><font size=3><br>
</font>
<hr noshade><font size=3><br>
<br>
</font><tt><font size=2 color=blue><u><br>
</u></font></tt><a href=mailto:harry.devine@faa.gov><tt><font size=2 color=blue><u>harry.devine@faa.gov</u></font></tt></a><tt><font size=2>
wrote:<br>
><br>
> I tried that (using a date/time string similar to<br>
> passwordallowchangetime), and I was able to get the "your password
will<br>
> expire in 10 days" message when I log in. I guess I thought that
there<br>
> would have existed either a checkbox or a button similar to Active<br>
> Directory where it says "Reset user password" or something
similar.<br>
><br>
> Now, whenever I try to change the password using the passwd command,
I<br>
> get the following error:<br>
><br>
> LDAP password information update failed: Constraint violation<br>
> within password minimum age<br>
> passwd: Permission denied.<br>
><br>
> Any ideas on that?<br>
<br>
See if you have passwordMinAge set. This defines the minimum amount of
<br>
time that must pass before a password can be changed. This is generally
<br>
used in conjunction with password history (so a user doesn't repeatedly
<br>
change their password so they can re-use one once it gets pushed out of
<br>
history).<br>
<br>
rob<br>
<br>
> Harry<br>
><br>
> Harry Devine<br>
> Common ARTS Software Development<br>
> AJT-144<br>
> (609)485-4218<br>
> </font></tt><a href=mailto:Harry.Devine@faa.gov><tt><font size=2 color=blue><u>Harry.Devine@faa.gov</u></font></tt></a><tt><font size=2><br>
><br>
><br>
> From: Harry
Devine/ACT/FAA@FAA<br>
> To: Rich
Megginson </font></tt><a href=mailto:rmeggins@redhat.com><tt><font size=2 color=blue><u><rmeggins@redhat.com></u></font></tt></a><tt><font size=2><br>
> Cc: Ted
Rush/ACT/FAA@FAA, "General discussion list for the 389<br>
> Directory server project." </font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=2 color=blue><u><389-users@lists.fedoraproject.org></u></font></tt></a><tt><font size=2><br>
> Date: 01/07/2011
11:10 PM<br>
> Subject: Re:
[389-users] Resetting user passwords<br>
> Sent by: </font></tt><a href="mailto:389-users-bounces@lists.fedoraproject.org"><tt><font size=2 color=blue><u>389-users-bounces@lists.fedoraproject.org</u></font></tt></a><tt><font size=2><br>
><br>
><br>
> ------------------------------------------------------------------------<br>
><br>
><br>
><br>
> I'll try that on Monday when I'm back at work. Is there any specific<br>
> time formatted string I should use? I saw some of the other attributes<br>
> referring to time appear to have a value that looks like it starts
with<br>
> the year and ends with Z.<br>
><br>
> Thanks!<br>
> Harry<br>
><br>
> Harry Devine<br>
> Common ARTS Software Development<br>
> AJT-144<br>
> (609)485-4218_<br>
> __Harry.Devine@faa.gov_ <</font></tt><a href=mailto:Harry.Devine@faa.gov><tt><font size=2 color=blue><u>mailto:Harry.Devine@faa.gov</u></font></tt></a><tt><font size=2>><br>
><br>
> -----Rich Megginson </font></tt><a href=mailto:rmeggins@redhat.com><tt><font size=2 color=blue><u><rmeggins@redhat.com></u></font></tt></a><tt><font size=2>
wrote: -----<br>
><br>
> To: Harry Devine/ACT/FAA@FAA<br>
> From: Rich Megginson </font></tt><a href=mailto:rmeggins@redhat.com><tt><font size=2 color=blue><u><rmeggins@redhat.com></u></font></tt></a><tt><font size=2><br>
> Date: 01/07/2011 08:25PM<br>
> cc: "General discussion list for the 389 Directory server project."<br>
> </font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=2 color=blue><u><389-users@lists.fedoraproject.org></u></font></tt></a><tt><font size=2>,
Ted Rush/ACT/FAA@FAA<br>
> Subject: Re: [389-users] Resetting user passwords<br>
><br>
> On 01/07/2011 06:06 PM, _harry.devine@faa.gov_<br>
> <</font></tt><a href=mailto:harry.devine@faa.gov><tt><font size=2 color=blue><u>mailto:harry.devine@faa.gov</u></font></tt></a><tt><font size=2>>
wrote:<br>
> 0<br>
> Looks like a bug. Because we now use strict GeneralizedTime syntax
with<br>
> checking, you cannot input that value any more. I suppose you could
set<br>
> it to the current time instead.<br>
><br>
> Harry<br>
><br>
> Harry Devine<br>
> Common ARTS Software Development<br>
> AJT-144<br>
> (609)485-4218_<br>
> __Harry.Devine@faa.gov_ <</font></tt><a href=mailto:Harry.Devine@faa.gov><tt><font size=2 color=blue><u>mailto:Harry.Devine@faa.gov</u></font></tt></a><tt><font size=2>><br>
><br>
> -----Rich Megginson _</font></tt><a href=mailto:rmeggins@redhat.com><tt><font size=2 color=blue><u><rmeggins@redhat.com></u></font></tt></a><tt><font size=2>_
<</font></tt><a href=mailto:rmeggins@redhat.com><tt><font size=2 color=blue><u>mailto:rmeggins@redhat.com</u></font></tt></a><tt><font size=2>><br>
> wrote: -----<br>
><br>
> To: Harry Devine/ACT/FAA@FAA<br>
> From: Rich Megginson _</font></tt><a href=mailto:rmeggins@redhat.com><tt><font size=2 color=blue><u><rmeggins@redhat.com></u></font></tt></a><tt><font size=2>_
<</font></tt><a href=mailto:rmeggins@redhat.com><tt><font size=2 color=blue><u>mailto:rmeggins@redhat.com</u></font></tt></a><tt><font size=2>><br>
> Date: 01/07/2011 04:31PM<br>
> cc: "General discussion list for the 389 Directory server project."<br>
> _</font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=2 color=blue><u><389-users@lists.fedoraproject.org></u></font></tt></a><tt><font size=2>_<br>
> <</font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=2 color=blue><u>mailto:389-users@lists.fedoraproject.org</u></font></tt></a><tt><font size=2>>,
Ted Rush/ACT/FAA@FAA<br>
> Subject: Re: [389-users] Resetting user passwords<br>
><br>
> On 01/07/2011 02:22 PM, _harry.devine@faa.gov_<br>
> <</font></tt><a href=mailto:harry.devine@faa.gov><tt><font size=2 color=blue><u>mailto:harry.devine@faa.gov</u></font></tt></a><tt><font size=2>>
wrote:<br>
><br>
> Won't let me do it. I get the following error:<br>
><br>
> Cannot save to directory server:<br>
> netscape.ldap.LDAPException: error result(21); passwordExpirationTime:<br>
> value #0 invalid per syntax; Invalid Syntax.<br>
> What value did you use?<br>
><br>
> Thanks,<br>
> Harry<br>
><br>
> Harry Devine<br>
> Common ARTS Software Development<br>
> AJT-144<br>
> (609)485-4218_<br>
> __Harry.Devine@faa.gov_ <</font></tt><a href=mailto:Harry.Devine@faa.gov><tt><font size=2 color=blue><u>mailto:Harry.Devine@faa.gov</u></font></tt></a><tt><font size=2>><br>
><br>
> From: Rich
Megginson _</font></tt><a href=mailto:rmeggins@redhat.com><tt><font size=2 color=blue><u><rmeggins@redhat.com></u></font></tt></a><tt><font size=2>_
<</font></tt><a href=mailto:rmeggins@redhat.com><tt><font size=2 color=blue><u>mailto:rmeggins@redhat.com</u></font></tt></a><tt><font size=2>><br>
> To: Harry
Devine/ACT/FAA@FAA<br>
> Cc: "General
discussion list for the 389 Directory server project."<br>
> _</font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=2 color=blue><u><389-users@lists.fedoraproject.org></u></font></tt></a><tt><font size=2>_<br>
> <</font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=2 color=blue><u>mailto:389-users@lists.fedoraproject.org</u></font></tt></a><tt><font size=2>>,
Ted Rush/ACT/FAA@FAA<br>
> Date: 01/07/2011
04:10 PM<br>
> Subject: Re:
[389-users] Resetting user passwords<br>
><br>
><br>
><br>
> ------------------------------------------------------------------------<br>
><br>
><br>
><br>
> On 01/07/2011 01:51 PM, _harry.devine@faa.gov_<br>
> <</font></tt><a href=mailto:harry.devine@faa.gov><tt><font size=2 color=blue><u>mailto:harry.devine@faa.gov</u></font></tt></a><tt><font size=2>>
wrote:<br>
><br>
> In the Directory Server GUI, under the Configuration tab, I have:<br>
><br>
> Passwords:<br>
> Enable fine-grained password policy (checked)<br>
> User Password Change:<br>
> User must change password after reset (checked)<br>
> User may change password (checked)<br>
> Allow changes in 2 days<br>
> Keep password history: Remember 5 passwords<br>
> Password expiration:<br>
> Password expires after 90 days<br>
> Send warning 10 days before password expires<br>
> Allow up to 1 login attempt(s) after password expires<br>
> Password syntax:<br>
> Check password syntax (unchecked)<br>
> Password Encryption: SSHA<br>
> Account Lockout:<br>
> Accounts may be locked out (checked)<br>
> Password lockout<br>
> Lockout account after 3 login failures<br>
> Reset failure count after 10 minutes<br>
> Lockout duration 30 minutes<br>
><br>
> In the Directory tab, I right-click on People, then select "Manage<br>
> Password Policy" -> For subtree:<br>
><br>
> Passwords:<br>
> Fine-grained subtree policy enabled (checked)<br>
> User Password Change:<br>
> User must change password after reset (checked)<br>
> User may change password (checked)<br>
> Allow changes in 2 days<br>
> Keep password history: Remember 5 passwords<br>
> Password expiration:<br>
> Password expires after 90 days<br>
> Send warning 10 days before password expires<br>
> Allow up to 1 login attempt(s) after password expires<br>
> Password syntax:<br>
> Check password syntax (unchecked)<br>
> Password Encryption: SSHA<br>
> Account Lockout:<br>
> Accounts may be locked out (checked)<br>
> Password lockout<br>
> Lockout account after 3 login failures<br>
> Reset failure count after 10 minutes<br>
> Lockout duration 30 minutes<br>
><br>
> I don't have any specific user password policy at this time. When
I<br>
> modify a user's password, I can log in from another PC via SSH as
that<br>
> user using the changed password, but I'm never told it has to be changed.<br>
> In the user's entry, when changing the password, also change the<br>
> attribute passwordExpirationTime to 0. This should trigger the reset<br>
> password code. Note that the attribute passwordExpirationTime is an<br>
> operational attribute.<br>
><br>
> Thanks,<br>
> Harry<br>
><br>
> Harry Devine<br>
> Common ARTS Software Development<br>
> AJT-144<br>
> (609)485-4218_<br>
> __Harry.Devine@faa.gov_ <</font></tt><a href=mailto:Harry.Devine@faa.gov><tt><font size=2 color=blue><u>mailto:Harry.Devine@faa.gov</u></font></tt></a><tt><font size=2>><br>
> From: Rich
Megginson _</font></tt><a href=mailto:rmeggins@redhat.com><tt><font size=2 color=blue><u><rmeggins@redhat.com></u></font></tt></a><tt><font size=2>_
<</font></tt><a href=mailto:rmeggins@redhat.com><tt><font size=2 color=blue><u>mailto:rmeggins@redhat.com</u></font></tt></a><tt><font size=2>><br>
> To: Harry
Devine/ACT/FAA@FAA<br>
> Cc: "General
discussion list for the 389 Directory server project."<br>
> _</font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=2 color=blue><u><389-users@lists.fedoraproject.org></u></font></tt></a><tt><font size=2>_<br>
> <</font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=2 color=blue><u>mailto:389-users@lists.fedoraproject.org</u></font></tt></a><tt><font size=2>>,
Ted Rush/ACT/FAA@FAA<br>
> Date: 01/07/2011
03:37 PM<br>
> Subject: Re:
[389-users] Resetting user passwords<br>
><br>
><br>
><br>
><br>
> ------------------------------------------------------------------------<br>
><br>
><br>
><br>
> On 01/07/2011 01:23 PM, _harry.devine@faa.gov_<br>
> <</font></tt><a href=mailto:harry.devine@faa.gov><tt><font size=2 color=blue><u>mailto:harry.devine@faa.gov</u></font></tt></a><tt><font size=2>>
wrote:<br>
><br>
> Nope. Didn't work. I edited the entry, put in another password, then<br>
> login using the new password and never get prompted to change it.
I saw<br>
> something online here:<br>
> _</font></tt><a href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords_"><tt><font size=2 color=blue><u>http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords_</u></font></tt></a><tt><font size=2>.<br>
> Section 13.1.1.5 says something about a bug in Directory Server.<br>
> Are you using per-user/per-subtree (i.e. Fine-Grained) password policy?<br>
> If not, then that section does not apply.<br>
><br>
> Can you post all of your password policy configuration?<br>
> Is that something that I should follow or is that doc outdated?<br>
><br>
> Thanks,<br>
> Harry<br>
><br>
> Harry Devine<br>
> Common ARTS Software Development<br>
> AJT-144<br>
> (609)485-4218_<br>
> __Harry.Devine@faa.gov_ <</font></tt><a href=mailto:Harry.Devine@faa.gov><tt><font size=2 color=blue><u>mailto:Harry.Devine@faa.gov</u></font></tt></a><tt><font size=2>><br>
> From: Rich
Megginson _</font></tt><a href=mailto:rmeggins@redhat.com><tt><font size=2 color=blue><u><rmeggins@redhat.com></u></font></tt></a><tt><font size=2>_
<</font></tt><a href=mailto:rmeggins@redhat.com><tt><font size=2 color=blue><u>mailto:rmeggins@redhat.com</u></font></tt></a><tt><font size=2>><br>
> To: "General
discussion list for the 389 Directory server project."<br>
> _</font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=2 color=blue><u><389-users@lists.fedoraproject.org></u></font></tt></a><tt><font size=2>_<br>
> <</font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=2 color=blue><u>mailto:389-users@lists.fedoraproject.org</u></font></tt></a><tt><font size=2>><br>
> Cc: Harry
Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA<br>
> Date: 01/07/2011
03:12 PM<br>
> Subject: Re:
[389-users] Resetting user passwords<br>
><br>
><br>
><br>
><br>
><br>
> ------------------------------------------------------------------------<br>
><br>
><br>
><br>
> On 01/07/2011 01:02 PM, _harry.devine@faa.gov_<br>
> <</font></tt><a href=mailto:harry.devine@faa.gov><tt><font size=2 color=blue><u>mailto:harry.devine@faa.gov</u></font></tt></a><tt><font size=2>>
wrote:<br>
><br>
> In my 389-ds setup, I have a password policy in place where the user<br>
> must change their password after a reset, they are allowed to change<br>
> their password, and it expires after 90 days. However, I cannot find<br>
> where the Directory Manager can actually RESET a user's password.
The<br>
> docs are very vague in this area IMO, so I'm sure I overlooked it.<br>
><br>
> Not sure, but you may be able to login as directory manager, edit
the<br>
> user's entry, and change the password to some bogus value.<br>
><br>
> Where do I go in the console to reset a particular user's password
so<br>
> they will be prompted to change it when they log in again?<br>
><br>
> Thanks,<br>
> Harry<br>
><br>
> Harry Devine<br>
> Common ARTS Software Development<br>
> AJT-144<br>
> (609)485-4218_<br>
> __Harry.Devine@faa.gov_ <</font></tt><a href=mailto:Harry.Devine@faa.gov><tt><font size=2 color=blue><u>mailto:Harry.Devine@faa.gov</u></font></tt></a><tt><font size=2>><br>
><br>
><br>
> --<br>
> 389 users mailing list_<br>
> __389-users@lists.fedoraproject.org_<br>
> <</font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=2 color=blue><u>mailto:389-users@lists.fedoraproject.org</u></font></tt></a><tt><font size=2>>_<br>
> __</font></tt><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users_"><tt><font size=2 color=blue><u>https://admin.fedoraproject.org/mailman/listinfo/389-users_</u></font></tt></a><tt><font size=2><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> --<br>
> 389 users mailing list<br>
> </font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=2 color=blue><u>389-users@lists.fedoraproject.org</u></font></tt></a><tt><font size=2><br>
> </font></tt><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users"><tt><font size=2 color=blue><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></tt></a><tt><font size=2><br>
><br>
><br>
><br>
> --<br>
> 389 users mailing list<br>
> </font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=2 color=blue><u>389-users@lists.fedoraproject.org</u></font></tt></a><tt><font size=2><br>
> </font></tt><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users"><tt><font size=2 color=blue><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></tt></a><tt><font size=2><br>
</font></tt><font size=3><br>
<br>
</font>
<br><tt><font size=3><br>
<br>
--<br>
389 users mailing list<br>
</font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=3 color=blue><u>389-users@lists.fedoraproject.org</u></font></tt></a><tt><font size=3><br>
</font></tt><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users"><tt><font size=3 color=blue><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></tt></a>
<br>
<br>
<br>