[389-users] Resetting user passwords
Rich Megginson
rmeggins at redhat.com
Mon Jan 10 16:16:00 UTC 2011
On 01/10/2011 08:21 AM, harry.devine at faa.gov wrote:
>
> I had it set to 2 days (the "allow changes in X days" setting). I set
> it to 0, logged in as that user, and got the exact same error.
Did you set the global password policy setting or the per-subtree
password policy setting?
You may have to also reset the passwordallowchangetime attribute in the
user's entry - if you change the minage password policy setting, it
doesn't change the passwordallowchangetime in each user's entry since
has already been calculated previously.
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218
> Harry.Devine at faa.gov
>
>
> From: Rob Crittenden <rcritten at redhat.com>
> To: "General discussion list for the 389 Directory server project."
> <389-users at lists.fedoraproject.org>
> Cc: Harry Devine/ACT/FAA at FAA, Ted Rush/ACT/FAA at FAA,
> 389-users-bounces at lists.fedoraproject.org
> Date: 01/10/2011 10:18 AM
> Subject: Re: [389-users] Resetting user passwords
>
>
> ------------------------------------------------------------------------
>
>
>
> harry.devine at faa.gov wrote:
> >
> > I tried that (using a date/time string similar to
> > passwordallowchangetime), and I was able to get the "your password will
> > expire in 10 days" message when I log in. I guess I thought that there
> > would have existed either a checkbox or a button similar to Active
> > Directory where it says "Reset user password" or something similar.
> >
> > Now, whenever I try to change the password using the passwd command, I
> > get the following error:
> >
> > LDAP password information update failed: Constraint violation
> > within password minimum age
> > passwd: Permission denied.
> >
> > Any ideas on that?
>
> See if you have passwordMinAge set. This defines the minimum amount of
> time that must pass before a password can be changed. This is generally
> used in conjunction with password history (so a user doesn't repeatedly
> change their password so they can re-use one once it gets pushed out of
> history).
>
> rob
>
> > Harry
> >
> > Harry Devine
> > Common ARTS Software Development
> > AJT-144
> > (609)485-4218
> > Harry.Devine at faa.gov
> >
> >
> > From: Harry Devine/ACT/FAA at FAA
> > To: Rich Megginson <rmeggins at redhat.com>
> > Cc: Ted Rush/ACT/FAA at FAA, "General discussion list
> for the 389
> > Directory server project." <389-users at lists.fedoraproject.org>
> > Date: 01/07/2011 11:10 PM
> > Subject: Re: [389-users] Resetting user passwords
> > Sent by: 389-users-bounces at lists.fedoraproject.org
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> >
> > I'll try that on Monday when I'm back at work. Is there any specific
> > time formatted string I should use? I saw some of the other attributes
> > referring to time appear to have a value that looks like it starts with
> > the year and ends with Z.
> >
> > Thanks!
> > Harry
> >
> > Harry Devine
> > Common ARTS Software Development
> > AJT-144
> > (609)485-4218_
> > __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
> >
> > -----Rich Megginson <rmeggins at redhat.com> wrote: -----
> >
> > To: Harry Devine/ACT/FAA at FAA
> > From: Rich Megginson <rmeggins at redhat.com>
> > Date: 01/07/2011 08:25PM
> > cc: "General discussion list for the 389 Directory server project."
> > <389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
> > Subject: Re: [389-users] Resetting user passwords
> >
> > On 01/07/2011 06:06 PM, _harry.devine at faa.gov_
> > <mailto:harry.devine at faa.gov> wrote:
> > 0
> > Looks like a bug. Because we now use strict GeneralizedTime syntax with
> > checking, you cannot input that value any more. I suppose you could set
> > it to the current time instead.
> >
> > Harry
> >
> > Harry Devine
> > Common ARTS Software Development
> > AJT-144
> > (609)485-4218_
> > __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
> >
> > -----Rich Megginson _<rmeggins at redhat.com>_ <mailto:rmeggins at redhat.com>
> > wrote: -----
> >
> > To: Harry Devine/ACT/FAA at FAA
> > From: Rich Megginson _<rmeggins at redhat.com>_
> <mailto:rmeggins at redhat.com>
> > Date: 01/07/2011 04:31PM
> > cc: "General discussion list for the 389 Directory server project."
> > _<389-users at lists.fedoraproject.org>_
> > <mailto:389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
> > Subject: Re: [389-users] Resetting user passwords
> >
> > On 01/07/2011 02:22 PM, _harry.devine at faa.gov_
> > <mailto:harry.devine at faa.gov> wrote:
> >
> > Won't let me do it. I get the following error:
> >
> > Cannot save to directory server:
> > netscape.ldap.LDAPException: error result(21); passwordExpirationTime:
> > value #0 invalid per syntax; Invalid Syntax.
> > What value did you use?
> >
> > Thanks,
> > Harry
> >
> > Harry Devine
> > Common ARTS Software Development
> > AJT-144
> > (609)485-4218_
> > __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
> >
> > From: Rich Megginson _<rmeggins at redhat.com>_
> <mailto:rmeggins at redhat.com>
> > To: Harry Devine/ACT/FAA at FAA
> > Cc: "General discussion list for the 389 Directory
> server project."
> > _<389-users at lists.fedoraproject.org>_
> > <mailto:389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
> > Date: 01/07/2011 04:10 PM
> > Subject: Re: [389-users] Resetting user passwords
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> >
> > On 01/07/2011 01:51 PM, _harry.devine at faa.gov_
> > <mailto:harry.devine at faa.gov> wrote:
> >
> > In the Directory Server GUI, under the Configuration tab, I have:
> >
> > Passwords:
> > Enable fine-grained password policy (checked)
> > User Password Change:
> > User must change password after reset (checked)
> > User may change password (checked)
> > Allow changes in 2 days
> > Keep password history: Remember 5 passwords
> > Password expiration:
> > Password expires after 90 days
> > Send warning 10 days before password expires
> > Allow up to 1 login attempt(s) after password expires
> > Password syntax:
> > Check password syntax (unchecked)
> > Password Encryption: SSHA
> > Account Lockout:
> > Accounts may be locked out (checked)
> > Password lockout
> > Lockout account after 3 login failures
> > Reset failure count after 10 minutes
> > Lockout duration 30 minutes
> >
> > In the Directory tab, I right-click on People, then select "Manage
> > Password Policy" -> For subtree:
> >
> > Passwords:
> > Fine-grained subtree policy enabled (checked)
> > User Password Change:
> > User must change password after reset (checked)
> > User may change password (checked)
> > Allow changes in 2 days
> > Keep password history: Remember 5 passwords
> > Password expiration:
> > Password expires after 90 days
> > Send warning 10 days before password expires
> > Allow up to 1 login attempt(s) after password expires
> > Password syntax:
> > Check password syntax (unchecked)
> > Password Encryption: SSHA
> > Account Lockout:
> > Accounts may be locked out (checked)
> > Password lockout
> > Lockout account after 3 login failures
> > Reset failure count after 10 minutes
> > Lockout duration 30 minutes
> >
> > I don't have any specific user password policy at this time. When I
> > modify a user's password, I can log in from another PC via SSH as that
> > user using the changed password, but I'm never told it has to be
> changed.
> > In the user's entry, when changing the password, also change the
> > attribute passwordExpirationTime to 0. This should trigger the reset
> > password code. Note that the attribute passwordExpirationTime is an
> > operational attribute.
> >
> > Thanks,
> > Harry
> >
> > Harry Devine
> > Common ARTS Software Development
> > AJT-144
> > (609)485-4218_
> > __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
> > From: Rich Megginson _<rmeggins at redhat.com>_
> <mailto:rmeggins at redhat.com>
> > To: Harry Devine/ACT/FAA at FAA
> > Cc: "General discussion list for the 389 Directory
> server project."
> > _<389-users at lists.fedoraproject.org>_
> > <mailto:389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
> > Date: 01/07/2011 03:37 PM
> > Subject: Re: [389-users] Resetting user passwords
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> >
> > On 01/07/2011 01:23 PM, _harry.devine at faa.gov_
> > <mailto:harry.devine at faa.gov> wrote:
> >
> > Nope. Didn't work. I edited the entry, put in another password, then
> > login using the new password and never get prompted to change it. I saw
> > something online here:
> >
> _http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords_.
> > Section 13.1.1.5 says something about a bug in Directory Server.
> > Are you using per-user/per-subtree (i.e. Fine-Grained) password policy?
> > If not, then that section does not apply.
> >
> > Can you post all of your password policy configuration?
> > Is that something that I should follow or is that doc outdated?
> >
> > Thanks,
> > Harry
> >
> > Harry Devine
> > Common ARTS Software Development
> > AJT-144
> > (609)485-4218_
> > __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
> > From: Rich Megginson _<rmeggins at redhat.com>_
> <mailto:rmeggins at redhat.com>
> > To: "General discussion list for the 389 Directory
> server project."
> > _<389-users at lists.fedoraproject.org>_
> > <mailto:389-users at lists.fedoraproject.org>
> > Cc: Harry Devine/ACT/FAA at FAA, Ted Rush/ACT/FAA at FAA
> > Date: 01/07/2011 03:12 PM
> > Subject: Re: [389-users] Resetting user passwords
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> >
> > On 01/07/2011 01:02 PM, _harry.devine at faa.gov_
> > <mailto:harry.devine at faa.gov> wrote:
> >
> > In my 389-ds setup, I have a password policy in place where the user
> > must change their password after a reset, they are allowed to change
> > their password, and it expires after 90 days. However, I cannot find
> > where the Directory Manager can actually RESET a user's password. The
> > docs are very vague in this area IMO, so I'm sure I overlooked it.
> >
> > Not sure, but you may be able to login as directory manager, edit the
> > user's entry, and change the password to some bogus value.
> >
> > Where do I go in the console to reset a particular user's password so
> > they will be prompted to change it when they log in again?
> >
> > Thanks,
> > Harry
> >
> > Harry Devine
> > Common ARTS Software Development
> > AJT-144
> > (609)485-4218_
> > __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
> >
> >
> > --
> > 389 users mailing list_
> > __389-users at lists.fedoraproject.org_
> > <mailto:389-users at lists.fedoraproject.org>_
> > __https://admin.fedoraproject.org/mailman/listinfo/389-users_
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > 389 users mailing list
> > 389-users at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> >
> >
> >
> > --
> > 389 users mailing list
> > 389-users at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110110/5f0b563b/attachment.html>
More information about the 389-users
mailing list