Re: [389-users] Resetting user passwords

Fri, 07 Jan 2011 13:10:15 -0800 

On 01/07/2011 01:51 PM, harry.dev...@faa.gov wrote:


In the Directory Server GUI, under the Configuration tab, I have:

Passwords:
        Enable fine-grained password policy (checked)
        User Password Change:
                User must change password after reset (checked)
                User may change password (checked)
                Allow changes in 2 days
                Keep password history: Remember 5 passwords
        Password expiration:
                Password expires after 90 days
                Send warning 10 days before password expires
                Allow up to 1 login attempt(s) after password expires
        Password syntax:
                Check password syntax (unchecked)
        Password Encryption: SSHA
Account Lockout:
        Accounts may be locked out (checked)
        Password lockout
                Lockout account after 3 login failures
                Reset failure count after 10 minutes
                Lockout duration 30 minutes


In the Directory tab, I right-click on People, then select "Manage 
Password Policy" -> For subtree:


Passwords:
        Fine-grained subtree policy enabled (checked)
        User Password Change:
                User must change password after reset (checked)
                User may change password (checked)
                Allow changes in 2 days
                Keep password history: Remember 5 passwords
        Password expiration:
                Password expires after 90 days
                Send warning 10 days before password expires
                Allow up to 1 login attempt(s) after password expires
        Password syntax:
                Check password syntax (unchecked)
        Password Encryption: SSHA
Account Lockout:
        Accounts may be locked out (checked)
        Password lockout
                Lockout account after 3 login failures
                Reset failure count after 10 minutes
                Lockout duration 30 minutes


I don't have any specific user password policy at this time.  When I 
modify a user's password, I can log in from another PC via SSH as that 
user using the changed password, but I'm never told it has to be changed.

In the user's entry, when changing the password, also change the 
attribute passwordExpirationTime to 0.  This should trigger the reset 
password code.  Note that the attribute passwordExpirationTime is an 
operational attribute.


Thanks,
Harry

Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
harry.dev...@faa.gov


From:   Rich Megginson <rmegg...@redhat.com>
To:     Harry Devine/ACT/f...@faa

Cc: 	"General discussion list for the 389 Directory server project." 
<389-us...@lists.fedoraproject.org>, Ted Rush/ACT/f...@faa

Date:   01/07/2011 03:37 PM
Subject:        Re: [389-users] Resetting user passwords


------------------------------------------------------------------------




On 01/07/2011 01:23 PM, _harry.dev...@faa.gov_ 
<mailto:harry.dev...@faa.gov>wrote:



Nope.  Didn't work.  I edited the entry, put in another password, then 
login using the new password and never get prompted to change it.  I 
saw something online here: 
_http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords_. 
 Section 13.1.1.5 says something about a bug in Directory Server.
Are you using per-user/per-subtree (i.e. Fine-Grained) password 
policy?  If not, then that section does not apply.


Can you post all of your password policy configuration?
Is that something that I should follow or is that doc outdated?

Thanks,
Harry

Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218_
__harry.dev...@faa.gov_ <mailto:harry.dev...@faa.gov>

From:   Rich Megginson _<rmegg...@redhat.com>_ <mailto:rmegg...@redhat.com>

To:	"General discussion list for the 389 Directory server project." 
_<389-us...@lists.fedoraproject.org>_ 
<mailto:389-us...@lists.fedoraproject.org>

Cc:     Harry Devine/ACT/f...@faa, Ted Rush/ACT/f...@faa
Date:   01/07/2011 03:12 PM
Subject:        Re: [389-users] Resetting user passwords



------------------------------------------------------------------------




On 01/07/2011 01:02 PM, _harry.dev...@faa.gov_ 
<mailto:harry.dev...@faa.gov>wrote:



In my 389-ds setup, I have a password policy in place where the user 
must change their password after a reset, they are allowed to change 
their password, and it expires after 90 days.  However, I cannot find 
where the Directory Manager can actually RESET a user's password.  The 
docs are very vague in this area IMO, so I'm sure I overlooked it.



Not sure, but you may be able to login as directory manager, edit the 
user's entry, and change the password to some bogus value.



Where do I go in the console to reset a particular user's password so 
they will be prompted to change it when they log in again?


Thanks,
Harry

Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218_
__harry.dev...@faa.gov_ <mailto:harry.dev...@faa.gov>


--
389 users mailing list_

__389-us...@lists.fedoraproject.org_ 
<mailto:389-us...@lists.fedoraproject.org>_

__https://admin.fedoraproject.org/mailman/listinfo/389-users_







--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





















					Reply via email to