[389-users] Resetting user passwords

Rich Megginson rmeggins at redhat.com
Fri Jan 7 21:09:20 UTC 2011 

On 01/07/2011 01:51 PM, harry.devine at faa.gov wrote:
>
> In the Directory Server GUI, under the Configuration tab, I have:
>
> Passwords:
>         Enable fine-grained password policy (checked)
>         User Password Change:
>                 User must change password after reset (checked)
>                 User may change password (checked)
>                 Allow changes in 2 days
>                 Keep password history: Remember 5 passwords
>         Password expiration:
>                 Password expires after 90 days
>                 Send warning 10 days before password expires
>                 Allow up to 1 login attempt(s) after password expires
>         Password syntax:
>                 Check password syntax (unchecked)
>         Password Encryption: SSHA
> Account Lockout:
>         Accounts may be locked out (checked)
>         Password lockout
>                 Lockout account after 3 login failures
>                 Reset failure count after 10 minutes
>                 Lockout duration 30 minutes
>
> In the Directory tab, I right-click on People, then select "Manage 
> Password Policy" -> For subtree:
>
> Passwords:
>         Fine-grained subtree policy enabled (checked)
>         User Password Change:
>                 User must change password after reset (checked)
>                 User may change password (checked)
>                 Allow changes in 2 days
>                 Keep password history: Remember 5 passwords
>         Password expiration:
>                 Password expires after 90 days
>                 Send warning 10 days before password expires
>                 Allow up to 1 login attempt(s) after password expires
>         Password syntax:
>                 Check password syntax (unchecked)
>         Password Encryption: SSHA
> Account Lockout:
>         Accounts may be locked out (checked)
>         Password lockout
>                 Lockout account after 3 login failures
>                 Reset failure count after 10 minutes
>                 Lockout duration 30 minutes
>
> I don't have any specific user password policy at this time.  When I 
> modify a user's password, I can log in from another PC via SSH as that 
> user using the changed password, but I'm never told it has to be changed.
In the user's entry, when changing the password, also change the 
attribute passwordExpirationTime to 0.  This should trigger the reset 
password code.  Note that the attribute passwordExpirationTime is an 
operational attribute.
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218
> Harry.Devine at faa.gov
>
>
> From: 	Rich Megginson <rmeggins at redhat.com>
> To: 	Harry Devine/ACT/FAA at FAA
> Cc: 	"General discussion list for the 389 Directory server project." 
> <389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
> Date: 	01/07/2011 03:37 PM
> Subject: 	Re: [389-users] Resetting user passwords
>
>
> ------------------------------------------------------------------------
>
>
>
> On 01/07/2011 01:23 PM, _harry.devine at faa.gov_ 
> <mailto:harry.devine at faa.gov>wrote:
>
> Nope.  Didn't work.  I edited the entry, put in another password, then 
> login using the new password and never get prompted to change it.  I 
> saw something online here: 
> _http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords_. 
>  Section 13.1.1.5 says something about a bug in Directory Server.
> Are you using per-user/per-subtree (i.e. Fine-Grained) password 
> policy?  If not, then that section does not apply.
>
> Can you post all of your password policy configuration?
> Is that something that I should follow or is that doc outdated?
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
>
> From:	Rich Megginson _<rmeggins at redhat.com>_ <mailto:rmeggins at redhat.com>
> To:	"General discussion list for the 389 Directory server project." 
> _<389-users at lists.fedoraproject.org>_ 
> <mailto:389-users at lists.fedoraproject.org>
> Cc:	Harry Devine/ACT/FAA at FAA, Ted Rush/ACT/FAA at FAA
> Date:	01/07/2011 03:12 PM
> Subject:	Re: [389-users] Resetting user passwords
>
>
>
> ------------------------------------------------------------------------
>
>
>
> On 01/07/2011 01:02 PM, _harry.devine at faa.gov_ 
> <mailto:harry.devine at faa.gov>wrote:
>
> In my 389-ds setup, I have a password policy in place where the user 
> must change their password after a reset, they are allowed to change 
> their password, and it expires after 90 days.  However, I cannot find 
> where the Directory Manager can actually RESET a user's password.  The 
> docs are very vague in this area IMO, so I'm sure I overlooked it.
>
> Not sure, but you may be able to login as directory manager, edit the 
> user's entry, and change the password to some bogus value.
>
> Where do I go in the console to reset a particular user's password so 
> they will be prompted to change it when they log in again?
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
>
>
> --
> 389 users mailing list_
> __389-users at lists.fedoraproject.org_ 
> <mailto:389-users at lists.fedoraproject.org>_
> __https://admin.fedoraproject.org/mailman/listinfo/389-users_
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110107/99c43a8e/attachment.html>

More information about the 389-users mailing list