[389-users] Resetting user passwords

harry.devine at faa.gov harry.devine at faa.gov
Mon Jan 10 16:33:50 UTC 2011 

Just did that, got the same error.  What do I set passwordallowchange time 
to?  I set it to a time value that would've been an hour ago since I got 
an error setting it to 0. 

Thanks,
Harry

Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine at faa.gov



From:
Rich Megginson <rmeggins at redhat.com>

To:
"General discussion list for the 389 Directory server project." 
<389-users at lists.fedoraproject.org>
Cc:
Harry Devine/ACT/FAA at FAA, Rob Crittenden <rcritten at redhat.com>, Ted 
Rush/ACT/FAA at FAA, 389-users-bounces at lists.fedoraproject.org
Date:
01/10/2011 11:19 AM
Subject:
Re: [389-users] Resetting user passwords



On 01/10/2011 08:21 AM, harry.devine at faa.gov wrote: 

I had it set to 2 days (the "allow changes in X days" setting).  I set it 
to 0, logged in as that user, and got the exact same error. 
Did you set the global password policy setting or the per-subtree password 
policy setting?
You may have to also reset the passwordallowchangetime attribute in the 
user's entry - if you change the minage password policy setting, it 
doesn't change the passwordallowchangetime in each user's entry since has 
already been calculated previously.

Thanks, 
Harry 

Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine at faa.gov 


From: 
Rob Crittenden <rcritten at redhat.com> 
To: 
"General discussion list for the 389 Directory server project." 
<389-users at lists.fedoraproject.org> 
Cc: 
Harry Devine/ACT/FAA at FAA, Ted Rush/ACT/FAA at FAA, 
389-users-bounces at lists.fedoraproject.org 
Date: 
01/10/2011 10:18 AM 
Subject: 
Re: [389-users] Resetting user passwords




harry.devine at faa.gov wrote:
>
> I tried that (using a date/time string similar to
> passwordallowchangetime), and I was able to get the "your password will
> expire in 10 days" message when I log in. I guess I thought that there
> would have existed either a checkbox or a button similar to Active
> Directory where it says "Reset user password" or something similar.
>
> Now, whenever I try to change the password using the passwd command, I
> get the following error:
>
> LDAP password information update failed: Constraint violation
> within password minimum age
> passwd: Permission denied.
>
> Any ideas on that?

See if you have passwordMinAge set. This defines the minimum amount of 
time that must pass before a password can be changed. This is generally 
used in conjunction with password history (so a user doesn't repeatedly 
change their password so they can re-use one once it gets pushed out of 
history).

rob

> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218
> Harry.Devine at faa.gov
>
>
> From:                  Harry Devine/ACT/FAA at FAA
> To:                  Rich Megginson <rmeggins at redhat.com>
> Cc:                  Ted Rush/ACT/FAA at FAA, "General discussion list for 
the 389
> Directory server project." <389-users at lists.fedoraproject.org>
> Date:                  01/07/2011 11:10 PM
> Subject:                  Re: [389-users] Resetting user passwords
> Sent by:                  389-users-bounces at lists.fedoraproject.org
>
>
> ------------------------------------------------------------------------
>
>
>
> I'll try that on Monday when I'm back at work. Is there any specific
> time formatted string I should use? I saw some of the other attributes
> referring to time appear to have a value that looks like it starts with
> the year and ends with Z.
>
> Thanks!
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
>
> -----Rich Megginson <rmeggins at redhat.com> wrote: -----
>
> To: Harry Devine/ACT/FAA at FAA
> From: Rich Megginson <rmeggins at redhat.com>
> Date: 01/07/2011 08:25PM
> cc: "General discussion list for the 389 Directory server project."
> <389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
> Subject: Re: [389-users] Resetting user passwords
>
> On 01/07/2011 06:06 PM, _harry.devine at faa.gov_
> <mailto:harry.devine at faa.gov> wrote:
> 0
> Looks like a bug. Because we now use strict GeneralizedTime syntax with
> checking, you cannot input that value any more. I suppose you could set
> it to the current time instead.
>
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
>
> -----Rich Megginson _<rmeggins at redhat.com>_ <mailto:rmeggins at redhat.com>
> wrote: -----
>
> To: Harry Devine/ACT/FAA at FAA
> From: Rich Megginson _<rmeggins at redhat.com>_ <mailto:rmeggins at redhat.com
>
> Date: 01/07/2011 04:31PM
> cc: "General discussion list for the 389 Directory server project."
> _<389-users at lists.fedoraproject.org>_
> <mailto:389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
> Subject: Re: [389-users] Resetting user passwords
>
> On 01/07/2011 02:22 PM, _harry.devine at faa.gov_
> <mailto:harry.devine at faa.gov> wrote:
>
> Won't let me do it. I get the following error:
>
> Cannot save to directory server:
> netscape.ldap.LDAPException: error result(21); passwordExpirationTime:
> value #0 invalid per syntax; Invalid Syntax.
> What value did you use?
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
>
> From:                  Rich Megginson _<rmeggins at redhat.com>_ <
mailto:rmeggins at redhat.com>
> To:                  Harry Devine/ACT/FAA at FAA
> Cc:                  "General discussion list for the 389 Directory 
server project."
> _<389-users at lists.fedoraproject.org>_
> <mailto:389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
> Date:                  01/07/2011 04:10 PM
> Subject:                  Re: [389-users] Resetting user passwords
>
>
>
> ------------------------------------------------------------------------
>
>
>
> On 01/07/2011 01:51 PM, _harry.devine at faa.gov_
> <mailto:harry.devine at faa.gov> wrote:
>
> In the Directory Server GUI, under the Configuration tab, I have:
>
> Passwords:
> Enable fine-grained password policy (checked)
> User Password Change:
> User must change password after reset (checked)
> User may change password (checked)
> Allow changes in 2 days
> Keep password history: Remember 5 passwords
> Password expiration:
> Password expires after 90 days
> Send warning 10 days before password expires
> Allow up to 1 login attempt(s) after password expires
> Password syntax:
> Check password syntax (unchecked)
> Password Encryption: SSHA
> Account Lockout:
> Accounts may be locked out (checked)
> Password lockout
> Lockout account after 3 login failures
> Reset failure count after 10 minutes
> Lockout duration 30 minutes
>
> In the Directory tab, I right-click on People, then select "Manage
> Password Policy" -> For subtree:
>
> Passwords:
> Fine-grained subtree policy enabled (checked)
> User Password Change:
> User must change password after reset (checked)
> User may change password (checked)
> Allow changes in 2 days
> Keep password history: Remember 5 passwords
> Password expiration:
> Password expires after 90 days
> Send warning 10 days before password expires
> Allow up to 1 login attempt(s) after password expires
> Password syntax:
> Check password syntax (unchecked)
> Password Encryption: SSHA
> Account Lockout:
> Accounts may be locked out (checked)
> Password lockout
> Lockout account after 3 login failures
> Reset failure count after 10 minutes
> Lockout duration 30 minutes
>
> I don't have any specific user password policy at this time. When I
> modify a user's password, I can log in from another PC via SSH as that
> user using the changed password, but I'm never told it has to be 
changed.
> In the user's entry, when changing the password, also change the
> attribute passwordExpirationTime to 0. This should trigger the reset
> password code. Note that the attribute passwordExpirationTime is an
> operational attribute.
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
> From:                  Rich Megginson _<rmeggins at redhat.com>_ <
mailto:rmeggins at redhat.com>
> To:                  Harry Devine/ACT/FAA at FAA
> Cc:                  "General discussion list for the 389 Directory 
server project."
> _<389-users at lists.fedoraproject.org>_
> <mailto:389-users at lists.fedoraproject.org>, Ted Rush/ACT/FAA at FAA
> Date:                  01/07/2011 03:37 PM
> Subject:                  Re: [389-users] Resetting user passwords
>
>
>
>
> ------------------------------------------------------------------------
>
>
>
> On 01/07/2011 01:23 PM, _harry.devine at faa.gov_
> <mailto:harry.devine at faa.gov> wrote:
>
> Nope. Didn't work. I edited the entry, put in another password, then
> login using the new password and never get prompted to change it. I saw
> something online here:
> _
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords_
.
> Section 13.1.1.5 says something about a bug in Directory Server.
> Are you using per-user/per-subtree (i.e. Fine-Grained) password policy?
> If not, then that section does not apply.
>
> Can you post all of your password policy configuration?
> Is that something that I should follow or is that doc outdated?
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
> From:                  Rich Megginson _<rmeggins at redhat.com>_ <
mailto:rmeggins at redhat.com>
> To:                  "General discussion list for the 389 Directory 
server project."
> _<389-users at lists.fedoraproject.org>_
> <mailto:389-users at lists.fedoraproject.org>
> Cc:                  Harry Devine/ACT/FAA at FAA, Ted Rush/ACT/FAA at FAA
> Date:                  01/07/2011 03:12 PM
> Subject:                  Re: [389-users] Resetting user passwords
>
>
>
>
>
> ------------------------------------------------------------------------
>
>
>
> On 01/07/2011 01:02 PM, _harry.devine at faa.gov_
> <mailto:harry.devine at faa.gov> wrote:
>
> In my 389-ds setup, I have a password policy in place where the user
> must change their password after a reset, they are allowed to change
> their password, and it expires after 90 days. However, I cannot find
> where the Directory Manager can actually RESET a user's password. The
> docs are very vague in this area IMO, so I'm sure I overlooked it.
>
> Not sure, but you may be able to login as directory manager, edit the
> user's entry, and change the password to some bogus value.
>
> Where do I go in the console to reset a particular user's password so
> they will be prompted to change it when they log in again?
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
>
>
> --
> 389 users mailing list_
> __389-users at lists.fedoraproject.org_
> <mailto:389-users at lists.fedoraproject.org>_
> __https://admin.fedoraproject.org/mailman/listinfo/389-users_
>
>
>
>
>
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110110/e61d2d63/attachment.html>

More information about the 389-users mailing list