We setup authelia to use a “password manager” account which handles the password reset for a user. Plus if you have a ppolicy, you can also implement the policy rules on the frontend side of authelia, so thats a nice feature. But users who need a reset, select “reset password”, input their username and receive an email with a link. Using that link, they are then able to reset their password, and receive a confirmation email that it was successful. You can msg me personally if you have any more questions On Jun 24, 2024 at 2:02 AM -0400, Windl, Ulrich u.windl@ukr.de, wrote:
OK, but how does Authelia manage it?
From: Dave Macias davama@gmail.com Sent: Friday, June 21, 2024 4:28 PM To: openldap-technical openldap-technical@openldap.org; Windl, Ulrich u.windl@ukr.de Subject: [EXT] Re: Q: Reset a locked user's password
We encountered similar issues. At first we had a simple script for reseting own password. Now have a nice self-service frontend with an open source app called authelia. [Windl, Ulrich]
On Jun 21, 2024 at 9:12 AM -0400, Windl, Ulrich u.windl@ukr.de, wrote:
quote_type Hi!
I have a question related to policy and a user with an expired password and all grace logins consumed, like this:
pwdChangedTime[0] 20231127075102Z pwdGraceUseTime[0] 20240429142254Z pwdGraceUseTime[1] 20240430112006Z pwdGraceUseTime[2] 20240527074731Z pwdGraceUseTime[3] 20240528114912Z pwdGraceUseTime[4] 20240528130249Z pwdFailureTime[0] 20240611082600.348275Z
How can the user change his password? The user cannot log in anymoe, obviously. If the user could log in he would have admin privileges. I had the idea to delete the grace logins via ldapmodify, but the result (for version 2.4) was:
ldap_modify: Constraint violation (19) additional info: pwdGraceUseTime: no user modification allowed
So what are the options (for the user himself and for an admin)?
Regards, Ulrich