FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 01-07-2011, 07:02 PM
 
Default Resetting user passwords

In my 389-ds setup, I have a password
policy in place where the user must change their password after a reset,
they are allowed to change their password, and it expires after 90 days.
*However, I cannot find where the Directory Manager can actually RESET
a user's password. *The docs are very vague in this area IMO, so I'm
sure I overlooked it.



Where do I go in the console to reset
a particular user's password so they will be prompted to change it when
they log in again?



Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-07-2011, 07:11 PM
Rich Megginson
 
Default Resetting user passwords

On 01/07/2011 01:02 PM, harry.devine@faa.gov wrote:



In my 389-ds setup, I have a
password
policy in place where the user must change their password after
a reset,
they are allowed to change their password, and it expires after
90 days.
*However, I cannot find where the Directory Manager can actually
RESET
a user's password. *The docs are very vague in this area IMO, so
I'm
sure I overlooked it.





Not sure, but you may be able to login as directory manager, edit
the user's entry, and change the password to some bogus value.




Where do I go in the console to
reset
a particular user's password so they will be prompted to change
it when
they log in again?




Thanks,


Harry




Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-07-2011, 07:23 PM
 
Default Resetting user passwords

Nope. *Didn't work. *I edited
the entry, put in another password, then login using the new password and
never get prompted to change it. *I saw something online here: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password _Policy-Setting_User_Passwords.
*Section 13.1.1.5 says something about a bug in Directory Server.
*Is that something that I should follow or is that doc outdated?



Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov








From:
Rich Megginson <rmeggins@redhat.com>



To:
"General discussion list for the
389 Directory server project." <389-users@lists.fedoraproject.org>

Cc:
Harry Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA

Date:
01/07/2011 03:12 PM

Subject:
Re: [389-users] Resetting user passwords








On 01/07/2011 01:02 PM, harry.devine@faa.gov
wrote:



In my 389-ds setup, I have a password policy in place where the user must
change their password after a reset, they are allowed to change their password,
and it expires after 90 days. *However, I cannot find where the Directory
Manager can actually RESET a user's password. *The docs are very vague
in this area IMO, so I'm sure I overlooked it.



Not sure, but you may be able to login as directory manager, edit the user's
entry, and change the password to some bogus value.



Where do I go in the console to reset a particular user's password so they
will be prompted to change it when they log in again?




Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov






--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-07-2011, 07:37 PM
Rich Megginson
 
Default Resetting user passwords

On 01/07/2011 01:23 PM, harry.devine@faa.gov wrote:



Nope. *Didn't work. *I edited
the entry, put in another password, then login using the new
password and
never get prompted to change it. *I saw something online here: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password _Policy-Setting_User_Passwords.
*Section 13.1.1.5 says something about a bug in Directory
Server.
Are you using per-user/per-subtree (i.e. Fine-Grained) password
policy?* If not, then that section does not apply.



Can you post all of your password policy configuration?

Is that something
that I should follow or is that doc outdated?




Thanks,


Harry




Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov









From:

Rich Megginson
<rmeggins@redhat.com>





To:

"General discussion
list for the
389 Directory server project."
<389-users@lists.fedoraproject.org>



Cc:

Harry
Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA



Date:

01/07/2011 03:12 PM



Subject:

Re: [389-users]
Resetting user passwords












On 01/07/2011 01:02 PM, harry.devine@faa.gov
wrote:




In my 389-ds setup, I have a password policy in place where the
user must
change their password after a reset, they are allowed to change
their password,
and it expires after 90 days. *However, I cannot find where the
Directory
Manager can actually RESET a user's password. *The docs are very
vague
in this area IMO, so I'm sure I overlooked it.




Not sure, but you may be able to login as directory manager,
edit the user's
entry, and change the password to some bogus value.




Where do I go in the console to reset a particular user's
password so they
will be prompted to change it when they log in again?




Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov







--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users











--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-07-2011, 07:51 PM
 
Default Resetting user passwords

In the Directory Server GUI, under the
Configuration tab, I have:



Passwords:

* * * * Enable
fine-grained password policy (checked)

* * * * User
Password Change:

* * * * *
* * * User must change password after reset (checked)

* * * * *
* * * User may change password (checked)

* * * * *
* * * Allow changes in 2 days

* * * * *
* * * Keep password history: Remember 5 passwords

* * * * Password
expiration:

* * * * *
* * * Password expires after 90 days

* * * * *
* * * Send warning 10 days before password expires

* * * * *
* * * Allow up to 1 login attempt(s) after password
expires

* * * * Password
syntax:

* * * * *
* * * Check password syntax (unchecked)

* * * * Password
Encryption: SSHA

Account Lockout:

* * * * Accounts
may be locked out (checked)

* * * * Password
lockout

* * * * *
* * * Lockout account after 3 login failures

* * * * *
* * * Reset failure count after 10 minutes

* * * * *
* * * Lockout duration 30 minutes



In the Directory tab, I right-click
on People, then select "Manage Password Policy" -> For subtree:



Passwords:

* * * * Fine-grained
subtree policy enabled (checked)

* * * * User
Password Change:

* * * * *
* * * User must change password after reset (checked)

* * * * *
* * * User may change password (checked)

* * * * *
* * * Allow changes in 2 days

* * * * *
* * * Keep password history: Remember 5 passwords

* * * * Password
expiration:

* * * * *
* * * Password expires after 90 days

* * * * *
* * * Send warning 10 days before password expires

* * * * *
* * * Allow up to 1 login attempt(s) after password
expires

* * * * Password
syntax:

* * * * *
* * * Check password syntax (unchecked)

* * * * Password
Encryption: SSHA

Account Lockout:

* * * * Accounts
may be locked out (checked)

* * * * Password
lockout

* * * * *
* * * Lockout account after 3 login failures

* * * * *
* * * Reset failure count after 10 minutes

* * * * *
* * * Lockout duration 30 minutes



I don't have any specific user password
policy at this time. *When I modify a user's password, I can log in
from another PC via SSH as that user using the changed password, but I'm
never told it has to be changed.



Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov








From:
Rich Megginson <rmeggins@redhat.com>



To:
Harry Devine/ACT/FAA@FAA

Cc:
"General discussion list for the
389 Directory server project." <389-users@lists.fedoraproject.org>,
Ted Rush/ACT/FAA@FAA

Date:
01/07/2011 03:37 PM

Subject:
Re: [389-users] Resetting user passwords








On 01/07/2011 01:23 PM, harry.devine@faa.gov
wrote:



Nope. *Didn't work. *I edited the entry, put in another password,
then login using the new password and never get prompted to change it.
*I saw something online here: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password _Policy-Setting_User_Passwords.
*Section 13.1.1.5 says something about a bug in Directory Server.

Are you using per-user/per-subtree (i.e. Fine-Grained)
password policy? *If not, then that section does not apply.



Can you post all of your password policy configuration?

Is that something that I should follow
or is that doc outdated?



Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov







From:

Rich Megginson <rmeggins@redhat.com>


To:

"General discussion list for the
389 Directory server project." <389-users@lists.fedoraproject.org>


Cc:

Harry Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA


Date:

01/07/2011 03:12 PM


Subject:

Re: [389-users] Resetting user passwords










On 01/07/2011 01:02 PM, harry.devine@faa.gov
wrote:



In my 389-ds setup, I have a password policy in place where the user must
change their password after a reset, they are allowed to change their password,
and it expires after 90 days. *However, I cannot find where the Directory
Manager can actually RESET a user's password. *The docs are very vague
in this area IMO, so I'm sure I overlooked it.



Not sure, but you may be able to login as directory manager, edit the user's
entry, and change the password to some bogus value.



Where do I go in the console to reset a particular user's password so they
will be prompted to change it when they log in again?




Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov






--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users










--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-07-2011, 08:09 PM
Rich Megginson
 
Default Resetting user passwords

On 01/07/2011 01:51 PM, harry.devine@faa.gov wrote:



In the Directory Server GUI,
under the
Configuration tab, I have:




Passwords:


* * * * Enable
fine-grained password policy (checked)


* * * * User
Password Change:


* * * * *
* * * User must change password after reset (checked)


* * * * *
* * * User may change password (checked)


* * * * *
* * * Allow changes in 2 days


* * * * *
* * * Keep password history: Remember 5 passwords


* * * * Password
expiration:


* * * * *
* * * Password expires after 90 days


* * * * *
* * * Send warning 10 days before password expires


* * * * *
* * * Allow up to 1 login attempt(s) after password
expires


* * * * Password
syntax:


* * * * *
* * * Check password syntax (unchecked)


* * * * Password
Encryption: SSHA


Account Lockout:


* * * * Accounts
may be locked out (checked)


* * * * Password
lockout


* * * * *
* * * Lockout account after 3 login failures


* * * * *
* * * Reset failure count after 10 minutes


* * * * *
* * * Lockout duration 30 minutes




In the Directory tab, I
right-click
on People, then select "Manage Password Policy" -> For
subtree:




Passwords:


* * * * Fine-grained
subtree policy enabled (checked)


* * * * User
Password Change:


* * * * *
* * * User must change password after reset (checked)


* * * * *
* * * User may change password (checked)


* * * * *
* * * Allow changes in 2 days


* * * * *
* * * Keep password history: Remember 5 passwords


* * * * Password
expiration:


* * * * *
* * * Password expires after 90 days


* * * * *
* * * Send warning 10 days before password expires


* * * * *
* * * Allow up to 1 login attempt(s) after password
expires


* * * * Password
syntax:


* * * * *
* * * Check password syntax (unchecked)


* * * * Password
Encryption: SSHA


Account Lockout:


* * * * Accounts
may be locked out (checked)


* * * * Password
lockout


* * * * *
* * * Lockout account after 3 login failures


* * * * *
* * * Reset failure count after 10 minutes


* * * * *
* * * Lockout duration 30 minutes




I don't have any specific user
password
policy at this time. *When I modify a user's password, I can log
in
from another PC via SSH as that user using the changed password,
but I'm
never told it has to be changed.



In the user's entry, when changing the password, also change the
attribute passwordExpirationTime to 0.* This should trigger the
reset password code.* Note that the attribute passwordExpirationTime
is an operational attribute.




Thanks,


Harry




Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov









From:

Rich Megginson
<rmeggins@redhat.com>





To:

Harry
Devine/ACT/FAA@FAA



Cc:

"General discussion
list for the
389 Directory server project."
<389-users@lists.fedoraproject.org>,
Ted Rush/ACT/FAA@FAA



Date:

01/07/2011 03:37 PM



Subject:

Re: [389-users]
Resetting user passwords












On 01/07/2011 01:23 PM, harry.devine@faa.gov
wrote:




Nope. *Didn't work. *I edited the entry, put in another
password,
then login using the new password and never get prompted to
change it.
*I saw something online here: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password _Policy-Setting_User_Passwords.
*Section 13.1.1.5 says something about a bug in Directory
Server.


Are you using per-user/per-subtree (i.e.
Fine-Grained)
password policy? *If not, then that section does not apply.



Can you post all of your password policy configuration?


Is that something that I should
follow
or is that doc outdated?



Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov








From:


Rich
Megginson <rmeggins@redhat.com>




To:


"General discussion
list for the
389 Directory server project." <389-users@lists.fedoraproject.org>




Cc:


Harry
Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA




Date:


01/07/2011 03:12 PM




Subject:


Re: [389-users]
Resetting user passwords














On 01/07/2011 01:02 PM, harry.devine@faa.gov
wrote:



In my 389-ds setup, I have a password policy in place where the
user must
change their password after a reset, they are allowed to change
their password,
and it expires after 90 days. *However, I cannot find where the
Directory
Manager can actually RESET a user's password. *The docs are very
vague
in this area IMO, so I'm sure I overlooked it.



Not sure, but you may be able to login as directory manager,
edit the user's
entry, and change the password to some bogus value.



Where do I go in the console to reset a particular user's
password so they
will be prompted to change it when they log in again?




Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov






--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users
















--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-07-2011, 08:22 PM
 
Default Resetting user passwords

Won't let me do it. *I get the
following error:



Cannot save to directory server:

netscape.ldap.LDAPException: error result(21);
passwordExpirationTime: value #0 invalid per syntax; Invalid Syntax.



Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov








From:
Rich Megginson <rmeggins@redhat.com>



To:
Harry Devine/ACT/FAA@FAA

Cc:
"General discussion list for the
389 Directory server project." <389-users@lists.fedoraproject.org>,
Ted Rush/ACT/FAA@FAA

Date:
01/07/2011 04:10 PM

Subject:
Re: [389-users] Resetting user passwords








On 01/07/2011 01:51 PM, harry.devine@faa.gov
wrote:



In the Directory Server GUI, under the Configuration tab, I have:




Passwords:

* * * *Enable fine-grained password policy (checked)


* * * *User Password Change:

* * * * * * * *User must change
password after reset (checked)

* * * * * * * *User may change
password (checked)

* * * * * * * *Allow changes in
2 days

* * * * * * * *Keep password history:
Remember 5 passwords

* * * *Password expiration:

* * * * * * * *Password expires
after 90 days

* * * * * * * *Send warning 10
days before password expires

* * * * * * * *Allow up to 1 login
attempt(s) after password expires

* * * *Password syntax:

* * * * * * * *Check password
syntax (unchecked)

* * * *Password Encryption: SSHA


Account Lockout:

* * * *Accounts may be locked out (checked)


* * * *Password lockout

* * * * * * * *Lockout account
after 3 login failures

* * * * * * * *Reset failure count
after 10 minutes

* * * * * * * *Lockout duration
30 minutes



In the Directory tab, I right-click on People, then select "Manage
Password Policy" -> For subtree:



Passwords:

* * * *Fine-grained subtree policy enabled (checked)


* * * *User Password Change:

* * * * * * * *User must change
password after reset (checked)

* * * * * * * *User may change
password (checked)

* * * * * * * *Allow changes in
2 days

* * * * * * * *Keep password history:
Remember 5 passwords

* * * *Password expiration:

* * * * * * * *Password expires
after 90 days

* * * * * * * *Send warning 10
days before password expires

* * * * * * * *Allow up to 1 login
attempt(s) after password expires

* * * *Password syntax:

* * * * * * * *Check password
syntax (unchecked)

* * * *Password Encryption: SSHA


Account Lockout:

* * * *Accounts may be locked out (checked)


* * * *Password lockout

* * * * * * * *Lockout account
after 3 login failures

* * * * * * * *Reset failure count
after 10 minutes

* * * * * * * *Lockout duration
30 minutes



I don't have any specific user password policy at this time. *When
I modify a user's password, I can log in from another PC via SSH as that
user using the changed password, but I'm never told it has to be changed.


In the user's entry, when changing the password, also
change the attribute passwordExpirationTime to 0. *This should trigger
the reset password code. *Note that the attribute passwordExpirationTime
is an operational attribute.



Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov







From:

Rich Megginson <rmeggins@redhat.com>


To:

Harry Devine/ACT/FAA@FAA


Cc:

"General discussion list for the
389 Directory server project." <389-users@lists.fedoraproject.org>,
Ted Rush/ACT/FAA@FAA

Date:

01/07/2011 03:37 PM


Subject:

Re: [389-users] Resetting user passwords










On 01/07/2011 01:23 PM, harry.devine@faa.gov
wrote:



Nope. *Didn't work. *I edited the entry, put in another password,
then login using the new password and never get prompted to change it.
*I saw something online here: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password _Policy-Setting_User_Passwords.
*Section 13.1.1.5 says something about a bug in Directory Server.


Are you using per-user/per-subtree (i.e. Fine-Grained) password policy?
*If not, then that section does not apply.



Can you post all of your password policy configuration?

Is that something that I should follow or is that doc outdated?




Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov





From:

Rich Megginson <rmeggins@redhat.com>


To:

"General discussion list for the
389 Directory server project." <389-users@lists.fedoraproject.org>


Cc:

Harry Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA


Date:

01/07/2011 03:12 PM


Subject:

Re: [389-users] Resetting user passwords












On 01/07/2011 01:02 PM, harry.devine@faa.gov
wrote:



In my 389-ds setup, I have a password policy in place where the user must
change their password after a reset, they are allowed to change their password,
and it expires after 90 days. *However, I cannot find where the Directory
Manager can actually RESET a user's password. *The docs are very vague
in this area IMO, so I'm sure I overlooked it.



Not sure, but you may be able to login as directory manager, edit the user's
entry, and change the password to some bogus value.



Where do I go in the console to reset a particular user's password so they
will be prompted to change it when they log in again?




Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov






--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users














--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-07-2011, 08:31 PM
Rich Megginson
 
Default Resetting user passwords

On 01/07/2011 02:22 PM, harry.devine@faa.gov wrote:



Won't let me do it. *I get the
following error:




Cannot save to directory server:


netscape.ldap.LDAPException:
error result(21);
passwordExpirationTime: value #0 invalid per syntax; Invalid
Syntax.



What value did you use?




Thanks,


Harry




Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov









From:

Rich Megginson
<rmeggins@redhat.com>





To:

Harry
Devine/ACT/FAA@FAA



Cc:

"General discussion
list for the
389 Directory server project."
<389-users@lists.fedoraproject.org>,
Ted Rush/ACT/FAA@FAA



Date:

01/07/2011 04:10 PM



Subject:

Re: [389-users]
Resetting user passwords












On 01/07/2011 01:51 PM, harry.devine@faa.gov
wrote:




In the Directory Server GUI, under the Configuration tab, I
have:




Passwords:

* * * *Enable fine-grained password policy (checked)


* * * *User Password Change:

* * * * * * * *User must change
password after reset (checked)

* * * * * * * *User may change
password (checked)

* * * * * * * *Allow changes in
2 days

* * * * * * * *Keep password history:
Remember 5 passwords

* * * *Password expiration:

* * * * * * * *Password expires
after 90 days

* * * * * * * *Send warning 10
days before password expires

* * * * * * * *Allow up to 1 login
attempt(s) after password expires

* * * *Password syntax:

* * * * * * * *Check password
syntax (unchecked)

* * * *Password Encryption: SSHA


Account Lockout:

* * * *Accounts may be locked out (checked)


* * * *Password lockout

* * * * * * * *Lockout account
after 3 login failures

* * * * * * * *Reset failure count
after 10 minutes

* * * * * * * *Lockout duration
30 minutes



In the Directory tab, I right-click on People, then select
"Manage
Password Policy" -> For subtree:



Passwords:

* * * *Fine-grained subtree policy enabled (checked)


* * * *User Password Change:

* * * * * * * *User must change
password after reset (checked)

* * * * * * * *User may change
password (checked)

* * * * * * * *Allow changes in
2 days

* * * * * * * *Keep password history:
Remember 5 passwords

* * * *Password expiration:

* * * * * * * *Password expires
after 90 days

* * * * * * * *Send warning 10
days before password expires

* * * * * * * *Allow up to 1 login
attempt(s) after password expires

* * * *Password syntax:

* * * * * * * *Check password
syntax (unchecked)

* * * *Password Encryption: SSHA


Account Lockout:

* * * *Accounts may be locked out (checked)


* * * *Password lockout

* * * * * * * *Lockout account
after 3 login failures

* * * * * * * *Reset failure count
after 10 minutes

* * * * * * * *Lockout duration
30 minutes



I don't have any specific user password policy at this time.
*When
I modify a user's password, I can log in from another PC via SSH
as that
user using the changed password, but I'm never told it has to be
changed.



In the user's entry, when changing the password,
also
change the attribute passwordExpirationTime to 0. *This should
trigger
the reset password code. *Note that the attribute
passwordExpirationTime
is an operational attribute.




Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov








From:


Rich
Megginson <rmeggins@redhat.com>




To:


Harry
Devine/ACT/FAA@FAA




Cc:


"General discussion
list for the
389 Directory server project." <389-users@lists.fedoraproject.org>,
Ted Rush/ACT/FAA@FAA



Date:


01/07/2011 03:37 PM




Subject:


Re: [389-users]
Resetting user passwords














On 01/07/2011 01:23 PM, harry.devine@faa.gov
wrote:



Nope. *Didn't work. *I edited the entry, put in another
password,
then login using the new password and never get prompted to
change it.
*I saw something online here: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password _Policy-Setting_User_Passwords.
*Section 13.1.1.5 says something about a bug in Directory
Server.


Are you using per-user/per-subtree (i.e. Fine-Grained) password
policy?
*If not, then that section does not apply.



Can you post all of your password policy configuration?

Is that something that I should follow or is that doc outdated?




Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov






From:


Rich
Megginson <rmeggins@redhat.com>




To:


"General discussion
list for the
389 Directory server project." <389-users@lists.fedoraproject.org>




Cc:


Harry
Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA




Date:


01/07/2011 03:12 PM




Subject:


Re: [389-users]
Resetting user passwords
















On 01/07/2011 01:02 PM, harry.devine@faa.gov
wrote:



In my 389-ds setup, I have a password policy in place where the
user must
change their password after a reset, they are allowed to change
their password,
and it expires after 90 days. *However, I cannot find where the
Directory
Manager can actually RESET a user's password. *The docs are very
vague
in this area IMO, so I'm sure I overlooked it.



Not sure, but you may be able to login as directory manager,
edit the user's
entry, and change the password to some bogus value.



Where do I go in the console to reset a particular user's
password so they
will be prompted to change it when they log in again?




Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov






--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users




















--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-08-2011, 12:06 AM
 
Default Resetting user passwords

0

Harry

Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine@faa.gov

-----Rich Megginson <rmeggins@redhat.com> wrote: -----

To: Harry Devine/ACT/FAA@FAA
From: Rich Megginson <rmeggins@redhat.com>
Date: 01/07/2011 04:31PM
cc: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org>, Ted Rush/ACT/FAA@FAA
Subject: Re: [389-users] Resetting user passwords






On 01/07/2011 02:22 PM, harry.devine@faa.gov wrote:



Won't let me do it. *I get the
following error:




Cannot save to directory server:


netscape.ldap.LDAPException:
error result(21);
passwordExpirationTime: value #0 invalid per syntax; Invalid
Syntax.



What value did you use?




Thanks,


Harry




Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov









From:

Rich Megginson
<rmeggins@redhat.com>





To:

Harry
Devine/ACT/FAA@FAA



Cc:

"General discussion
list for the
389 Directory server project."
<389-users@lists.fedoraproject.org>,
Ted Rush/ACT/FAA@FAA



Date:

01/07/2011 04:10 PM



Subject:

Re: [389-users]
Resetting user passwords












On 01/07/2011 01:51 PM, harry.devine@faa.gov
wrote:




In the Directory Server GUI, under the Configuration tab, I
have:




Passwords:

* * * *Enable fine-grained password policy (checked)


* * * *User Password Change:

* * * * * * * *User must change
password after reset (checked)

* * * * * * * *User may change
password (checked)

* * * * * * * *Allow changes in
2 days

* * * * * * * *Keep password history:
Remember 5 passwords

* * * *Password expiration:

* * * * * * * *Password expires
after 90 days

* * * * * * * *Send warning 10
days before password expires

* * * * * * * *Allow up to 1 login
attempt(s) after password expires

* * * *Password syntax:

* * * * * * * *Check password
syntax (unchecked)

* * * *Password Encryption: SSHA


Account Lockout:

* * * *Accounts may be locked out (checked)


* * * *Password lockout

* * * * * * * *Lockout account
after 3 login failures

* * * * * * * *Reset failure count
after 10 minutes

* * * * * * * *Lockout duration
30 minutes



In the Directory tab, I right-click on People, then select
"Manage
Password Policy" -> For subtree:



Passwords:

* * * *Fine-grained subtree policy enabled (checked)


* * * *User Password Change:

* * * * * * * *User must change
password after reset (checked)

* * * * * * * *User may change
password (checked)

* * * * * * * *Allow changes in
2 days

* * * * * * * *Keep password history:
Remember 5 passwords

* * * *Password expiration:

* * * * * * * *Password expires
after 90 days

* * * * * * * *Send warning 10
days before password expires

* * * * * * * *Allow up to 1 login
attempt(s) after password expires

* * * *Password syntax:

* * * * * * * *Check password
syntax (unchecked)

* * * *Password Encryption: SSHA


Account Lockout:

* * * *Accounts may be locked out (checked)


* * * *Password lockout

* * * * * * * *Lockout account
after 3 login failures

* * * * * * * *Reset failure count
after 10 minutes

* * * * * * * *Lockout duration
30 minutes



I don't have any specific user password policy at this time.
*When
I modify a user's password, I can log in from another PC via SSH
as that
user using the changed password, but I'm never told it has to be
changed.



In the user's entry, when changing the password,
also
change the attribute passwordExpirationTime to 0. *This should
trigger
the reset password code. *Note that the attribute
passwordExpirationTime
is an operational attribute.




Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov








From:


Rich
Megginson <rmeggins@redhat.com>




To:


Harry
Devine/ACT/FAA@FAA




Cc:


"General discussion
list for the
389 Directory server project." <389-users@lists.fedoraproject.org>,
Ted Rush/ACT/FAA@FAA



Date:


01/07/2011 03:37 PM




Subject:


Re: [389-users]
Resetting user passwords














On 01/07/2011 01:23 PM, harry.devine@faa.gov
wrote:



Nope. *Didn't work. *I edited the entry, put in another
password,
then login using the new password and never get prompted to
change it.
*I saw something online here: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password _Policy-Setting_User_Passwords.
*Section 13.1.1.5 says something about a bug in Directory
Server.


Are you using per-user/per-subtree (i.e. Fine-Grained) password
policy?
*If not, then that section does not apply.



Can you post all of your password policy configuration?

Is that something that I should follow or is that doc outdated?




Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov






From:


Rich
Megginson <rmeggins@redhat.com>




To:


"General discussion
list for the
389 Directory server project." <389-users@lists.fedoraproject.org>




Cc:


Harry
Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA




Date:


01/07/2011 03:12 PM




Subject:


Re: [389-users]
Resetting user passwords
















On 01/07/2011 01:02 PM, harry.devine@faa.gov
wrote:



In my 389-ds setup, I have a password policy in place where the
user must
change their password after a reset, they are allowed to change
their password,
and it expires after 90 days. *However, I cannot find where the
Directory
Manager can actually RESET a user's password. *The docs are very
vague
in this area IMO, so I'm sure I overlooked it.



Not sure, but you may be able to login as directory manager,
edit the user's
entry, and change the password to some bogus value.



Where do I go in the console to reset a particular user's
password so they
will be prompted to change it when they log in again?




Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov






--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



















--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-08-2011, 12:25 AM
Rich Megginson
 
Default Resetting user passwords

On 01/07/2011 06:06 PM, harry.devine@faa.gov wrote:
0


Looks like a bug.* Because we now use strict GeneralizedTime syntax
with checking, you cannot input that value any more.* I suppose you
could set it to the current time instead.



Harry




Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov




-----Rich Megginson
<rmeggins@redhat.com> wrote: -----




To: Harry Devine/ACT/FAA@FAA

From: Rich Megginson <rmeggins@redhat.com>

Date: 01/07/2011 04:31PM

cc: "General discussion list for the 389 Directory server
project." <389-users@lists.fedoraproject.org>, Ted
Rush/ACT/FAA@FAA

Subject: Re: [389-users] Resetting user passwords




On 01/07/2011 02:22 PM, harry.devine@faa.gov
wrote:


Won't let me do it. *I
get the following error:



Cannot save to directory
server:

netscape.ldap.LDAPException:

error result(21); passwordExpirationTime: value #0
invalid per syntax; Invalid Syntax.


What value did you use?



Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov









From:

Rich Megginson
<rmeggins@redhat.com>





To:

Harry
Devine/ACT/FAA@FAA


Cc:
"General
discussion list for the 389 Directory server
project." <389-users@lists.fedoraproject.org>,
Ted Rush/ACT/FAA@FAA


Date:

01/07/2011
04:10 PM


Subject:

Re: [389-users]
Resetting user passwords











On 01/07/2011 01:51 PM, harry.devine@faa.gov wrote:



In the Directory Server GUI, under the Configuration
tab, I have:



Passwords:

* * * *Enable fine-grained password policy (checked)

* * * *User Password Change:

* * * * * * * *User must change password after reset
(checked)

* * * * * * * *User may change password (checked)

* * * * * * * *Allow changes in 2 days

* * * * * * * *Keep password history: Remember 5
passwords

* * * *Password expiration:

* * * * * * * *Password expires after 90 days

* * * * * * * *Send warning 10 days before password
expires

* * * * * * * *Allow up to 1 login attempt(s) after
password expires

* * * *Password syntax:

* * * * * * * *Check password syntax (unchecked)

* * * *Password Encryption: SSHA

Account Lockout:

* * * *Accounts may be locked out (checked)

* * * *Password lockout

* * * * * * * *Lockout account after 3 login failures

* * * * * * * *Reset failure count after 10 minutes

* * * * * * * *Lockout duration 30 minutes



In the Directory tab, I right-click on People, then
select "Manage Password Policy" -> For subtree:



Passwords:

* * * *Fine-grained subtree policy enabled (checked)

* * * *User Password Change:

* * * * * * * *User must change password after reset
(checked)

* * * * * * * *User may change password (checked)

* * * * * * * *Allow changes in 2 days

* * * * * * * *Keep password history: Remember 5
passwords

* * * *Password expiration:

* * * * * * * *Password expires after 90 days

* * * * * * * *Send warning 10 days before password
expires

* * * * * * * *Allow up to 1 login attempt(s) after
password expires

* * * *Password syntax:

* * * * * * * *Check password syntax (unchecked)

* * * *Password Encryption: SSHA

Account Lockout:

* * * *Accounts may be locked out (checked)

* * * *Password lockout

* * * * * * * *Lockout account after 3 login failures

* * * * * * * *Reset failure count after 10 minutes

* * * * * * * *Lockout duration 30 minutes



I don't have any specific user password policy at this
time. *When I modify a user's password, I can log in
from another PC via SSH as that user using the changed
password, but I'm never told it has to be changed.

In the user's entry, when changing the
password, also change the attribute
passwordExpirationTime to 0. *This should trigger the
reset password code. *Note that the attribute
passwordExpirationTime is an operational attribute.




Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov







From:
Rich

Megginson <rmeggins@redhat.com>


To:
Harry
Devine/ACT/FAA@FAA



Cc:
"General
discussion list for the 389 Directory server
project." <389-users@lists.fedoraproject.org>, Ted
Rush/ACT/FAA@FAA



Date:
01/07/2011
03:37 PM


Subject:
Re: [389-users]
Resetting user passwords














On 01/07/2011 01:23 PM, harry.devine@faa.gov wrote:



Nope. *Didn't work. *I edited the entry, put in another
password, then login using the new password and never
get prompted to change it. *I saw something online here:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password _Policy-Setting_User_Passwords. *Section 13.1.1.5 says
something about a bug in Directory Server.

Are you using per-user/per-subtree (i.e. Fine-Grained)
password policy? *If not, then that section does not
apply.



Can you post all of your password policy configuration?


Is that something that I should follow or is that doc
outdated?



Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov





From:
Rich

Megginson <rmeggins@redhat.com>


To:
"General
discussion list for the 389 Directory server
project." <389-users@lists.fedoraproject.org>


Cc:
Harry
Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA


Date:
01/07/2011
03:12 PM


Subject:
Re: [389-users]
Resetting user passwords
















On 01/07/2011 01:02 PM, harry.devine@faa.gov wrote:



In my 389-ds setup, I have a password policy in place
where the user must change their password after a reset,
they are allowed to change their password, and it
expires after 90 days. *However, I cannot find where the
Directory Manager can actually RESET a user's password.
*The docs are very vague in this area IMO, so I'm sure I
overlooked it.



Not sure, but you may be able to login as directory
manager, edit the user's entry, and change the password
to some bogus value.



Where do I go in the console to reset a particular
user's password so they will be prompted to change it
when they log in again?



Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov





--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users

























--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 03:04 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org