[389-users] Determine when a password is about to expire

Noriko Hosoi nhosoi at redhat.com
Fri Jan 21 18:13:39 UTC 2011 

harry.devine at faa.gov wrote:
>
> I can get the passwordexpirationtime value, but I'm unsure what you 
> mean by "set the password expiration to occur immediately".  I'm 
> coming from the Windows world, so I'm used to the "User must change 
> password at next logon" checkbox.  I don't see that anywhere on the 
> GUI, so I'm unclear how you set that.
Could this help ...?

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Configuring_the_Password_Policy
Set the password policies for how users can change their own passwords.

    *
      To require users to change their password the first time they log
      on, select the *User must change password after reset* checkbox.


          NOTE

      If users are required to reset their password, only the Directory
      Manager is authorized to reset the user's password. A regular
      administrative user cannot force the users to update their password.


http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes

*passwordMustChange* When |on|, this attribute requires users to change 
their passwords when they first login to the directory or after the 
password is reset by the Directory Manager. The user is required to 
change their password even if user-defined passwords are disabled. If 
this attribute is set to |off|, passwords assigned by the Directory 
Manager should not follow any obvious convention and should be difficult 
to discover. This attribute is |off| by default.
>
> Also, how do I manipulate the dates?  I get something similar to 
> 20110122161029Z (for example) for passwordexpirationtime.  How do I 
> convert that to a proper date format?  Also, I just changed my 
> account's password while testing, and I see that 
> passwordexpirationtime got reset to 19700101000000Z.  What does the 
> 1970xxx value represent?
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218
> Harry.Devine at faa.gov
>
>
> From: 	James Roman <james.roman at ssaihq.com>
> To: 	389-users at lists.fedoraproject.org
> Date: 	01/21/2011 10:17 AM
> Subject: 	Re: [389-users] Determine when a password is about to expire
> Sent by: 	389-users-bounces at lists.fedoraproject.org
>
>
> ------------------------------------------------------------------------
>
>
>
> Most LDAP servers use a different schema than the Microsoft version 
> and work from the opposite direction. Try querying 
> "passwordexpirationtime". You can do a search for the specific 
> password schema with the following info: 2.16.840.1.113730.3.2.12 
>  passwordObject
>
> I think it is more common to:
> 1. administratively set the password on a user account
> 2. set the password expiration to occur immediately.
> 3. set the passwordGraceUserTime for a time period that allows the 
> user to log in solely to change their password.
>
> However, you must explicitly program your site to gracefully handle 
> this situation (condition where passwordexpirationtime < now < 
> passwordGraceUserTime) , since the user's LDAP authentication attempt 
> against the directory will fail (with an error indicating the password 
> has expired).
>
> On 01/21/2011 09:45 AM, _harry.devine at faa.gov_ 
> <mailto:harry.devine at faa.gov>wrote:
>
> I am in the process of creating a web-based mechanism to allow our 
> users to change their password on our new 389-ds server.  I would like 
> to display the date that their password is due to expire, and while 
> Googling around, I see a lot of references to pwdLastSet, but about 
> 95% of the articles are referring to Active Directory.  I don't see 
> pwdLastSet amongst the attributes in my default 389-ds setup.  Is it 
> there, or do I have to add that attribute to every account?
>
> Also, I currently have my pages set up where, when the user logs in, 
> it detects our 'default' password and forces them to change it.  Is 
> there some attribute in their account that I can set that I can key 
> off of and force them to change their password when they login to my site?
>
> Thanks for any tips!
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
>
>
> --
> 389 users mailing list
> _389-users at lists.fedoraproject.org_ 
> <mailto:389-users at lists.fedoraproject.org>
> _https://admin.fedoraproject.org/mailman/listinfo/389-users_
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110121/ece1cfad/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pwdpolicy-change.png
Type: image/png
Size: 17691 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110121/ece1cfad/attachment.png>

More information about the 389-users mailing list