[389-users] Resetting user passwords
Rich Megginson
rmeggins at redhat.com
Sat Jan 8 01:25:34 UTC 2011
On 01/07/2011 06:06 PM, harry.devine at faa.gov wrote:
> 0
Looks like a bug. Because we now use strict GeneralizedTime syntax with
checking, you cannot input that value any more. I suppose you could set
it to the current time instead.
>
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218
> Harry.Devine at faa.gov <mailto:Harry.Devine at faa.gov>
>
> -----Rich Megginson <rmeggins at redhat.com> wrote: -----
>
> To: Harry Devine/ACT/FAA at FAA
> From: Rich Megginson <rmeggins at redhat.com>
> Date: 01/07/2011 04:31PM
> cc: "General discussion list for the 389 Directory server
> project." <389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
> Subject: Re: [389-users] Resetting user passwords
>
> On 01/07/2011 02:22 PM, harry.devine at faa.gov wrote:
>>
>> Won't let me do it. I get the following error:
>>
>> Cannot save to directory server:
>> netscape.ldap.LDAPException: error result(21);
>> passwordExpirationTime: value #0 invalid per syntax; Invalid Syntax.
> What value did you use?
>>
>> Thanks,
>> Harry
>>
>> Harry Devine
>> Common ARTS Software Development
>> AJT-144
>> (609)485-4218
>> Harry.Devine at faa.gov
>>
>>
>> From: Rich Megginson <rmeggins at redhat.com>
>> To: Harry Devine/ACT/FAA at FAA
>> Cc: "General discussion list for the 389 Directory server
>> project." <389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
>> Date: 01/07/2011 04:10 PM
>> Subject: Re: [389-users] Resetting user passwords
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>>
>> On 01/07/2011 01:51 PM, _harry.devine at faa.gov_
>> <mailto:harry.devine at faa.gov>wrote:
>>
>> In the Directory Server GUI, under the Configuration tab, I have:
>>
>> Passwords:
>> Enable fine-grained password policy (checked)
>> User Password Change:
>> User must change password after reset (checked)
>> User may change password (checked)
>> Allow changes in 2 days
>> Keep password history: Remember 5 passwords
>> Password expiration:
>> Password expires after 90 days
>> Send warning 10 days before password expires
>> Allow up to 1 login attempt(s) after password expires
>> Password syntax:
>> Check password syntax (unchecked)
>> Password Encryption: SSHA
>> Account Lockout:
>> Accounts may be locked out (checked)
>> Password lockout
>> Lockout account after 3 login failures
>> Reset failure count after 10 minutes
>> Lockout duration 30 minutes
>>
>> In the Directory tab, I right-click on People, then select
>> "Manage Password Policy" -> For subtree:
>>
>> Passwords:
>> Fine-grained subtree policy enabled (checked)
>> User Password Change:
>> User must change password after reset (checked)
>> User may change password (checked)
>> Allow changes in 2 days
>> Keep password history: Remember 5 passwords
>> Password expiration:
>> Password expires after 90 days
>> Send warning 10 days before password expires
>> Allow up to 1 login attempt(s) after password expires
>> Password syntax:
>> Check password syntax (unchecked)
>> Password Encryption: SSHA
>> Account Lockout:
>> Accounts may be locked out (checked)
>> Password lockout
>> Lockout account after 3 login failures
>> Reset failure count after 10 minutes
>> Lockout duration 30 minutes
>>
>> I don't have any specific user password policy at this time.
>> When I modify a user's password, I can log in from another PC
>> via SSH as that user using the changed password, but I'm never
>> told it has to be changed.
>> In the user's entry, when changing the password, also change the
>> attribute passwordExpirationTime to 0. This should trigger the
>> reset password code. Note that the attribute
>> passwordExpirationTime is an operational attribute.
>>
>> Thanks,
>> Harry
>>
>> Harry Devine
>> Common ARTS Software Development
>> AJT-144
>> (609)485-4218_
>> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
>>
>> From: Rich Megginson _<rmeggins at redhat.com>_
>> <mailto:rmeggins at redhat.com>
>> To: Harry Devine/ACT/FAA at FAA
>> Cc: "General discussion list for the 389 Directory server
>> project." _<389-users at lists.fedoraproject.org>_
>> <mailto:389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
>> Date: 01/07/2011 03:37 PM
>> Subject: Re: [389-users] Resetting user passwords
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>>
>> On 01/07/2011 01:23 PM, _harry.devine at faa.gov_
>> <mailto:harry.devine at faa.gov>wrote:
>>
>> Nope. Didn't work. I edited the entry, put in another password,
>> then login using the new password and never get prompted to
>> change it. I saw something online here:
>> _http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords_.
>> Section 13.1.1.5 says something about a bug in Directory Server.
>> Are you using per-user/per-subtree (i.e. Fine-Grained) password
>> policy? If not, then that section does not apply.
>>
>> Can you post all of your password policy configuration?
>> Is that something that I should follow or is that doc outdated?
>>
>> Thanks,
>> Harry
>>
>> Harry Devine
>> Common ARTS Software Development
>> AJT-144
>> (609)485-4218_
>> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
>> From: Rich Megginson _<rmeggins at redhat.com>_
>> <mailto:rmeggins at redhat.com>
>> To: "General discussion list for the 389 Directory server
>> project." _<389-users at lists.fedoraproject.org>_
>> <mailto:389-users at lists.fedoraproject.org>
>> Cc: Harry Devine/ACT/FAA at FAA, Ted Rush/ACT/FAA at FAA
>> Date: 01/07/2011 03:12 PM
>> Subject: Re: [389-users] Resetting user passwords
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>>
>> On 01/07/2011 01:02 PM, _harry.devine at faa.gov_
>> <mailto:harry.devine at faa.gov>wrote:
>>
>> In my 389-ds setup, I have a password policy in place where the
>> user must change their password after a reset, they are allowed
>> to change their password, and it expires after 90 days. However,
>> I cannot find where the Directory Manager can actually RESET a
>> user's password. The docs are very vague in this area IMO, so
>> I'm sure I overlooked it.
>>
>> Not sure, but you may be able to login as directory manager, edit
>> the user's entry, and change the password to some bogus value.
>>
>> Where do I go in the console to reset a particular user's
>> password so they will be prompted to change it when they log in
>> again?
>>
>> Thanks,
>> Harry
>>
>> Harry Devine
>> Common ARTS Software Development
>> AJT-144
>> (609)485-4218_
>> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
>>
>>
>> --
>> 389 users mailing list_
>> __389-users at lists.fedoraproject.org_
>> <mailto:389-users at lists.fedoraproject.org>_
>> __https://admin.fedoraproject.org/mailman/listinfo/389-users_
>>
>>
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110107/7817c19a/attachment.html>
More information about the 389-users
mailing list