Hi!
I have a question related to policy and a user with an expired password and all grace logins consumed, like this:
pwdChangedTime[0]
20231127075102Z
pwdGraceUseTime[0]
20240429142254Z
pwdGraceUseTime[1]
20240430112006Z
pwdGraceUseTime[2]
20240527074731Z
pwdGraceUseTime[3]
20240528114912Z
pwdGraceUseTime[4]
20240528130249Z
pwdFailureTime[0]
20240611082600.348275Z
How can the user change his password? The user cannot log in anymoe, obviously. If the user could log in he would have admin privileges. I had the idea to delete the grace logins via ldapmodify, but the result (for version 2.4) was:
ldap_modify: Constraint violation (19) additional info: pwdGraceUseTime: no user modification allowed
So what are the options (for the user himself and for an admin)?
Regards, Ulrich
We encountered similar issues. At first we had a simple script for reseting own password. Now have a nice self-service frontend with an open source app called authelia. On Jun 21, 2024 at 9:12 AM -0400, Windl, Ulrich u.windl@ukr.de, wrote:
Hi!
I have a question related to policy and a user with an expired password and all grace logins consumed, like this:
pwdChangedTime[0] 20231127075102Z pwdGraceUseTime[0] 20240429142254Z pwdGraceUseTime[1] 20240430112006Z pwdGraceUseTime[2] 20240527074731Z pwdGraceUseTime[3] 20240528114912Z pwdGraceUseTime[4] 20240528130249Z pwdFailureTime[0] 20240611082600.348275Z
How can the user change his password? The user cannot log in anymoe, obviously. If the user could log in he would have admin privileges. I had the idea to delete the grace logins via ldapmodify, but the result (for version 2.4) was:
ldap_modify: Constraint violation (19) additional info: pwdGraceUseTime: no user modification allowed
So what are the options (for the user himself and for an admin)?
Regards, Ulrich
OK, but how does Authelia manage it?
From: Dave Macias davama@gmail.com Sent: Friday, June 21, 2024 4:28 PM To: openldap-technical openldap-technical@openldap.org; Windl, Ulrich u.windl@ukr.de Subject: [EXT] Re: Q: Reset a locked user's password
We encountered similar issues. At first we had a simple script for reseting own password. Now have a nice self-service frontend with an open source app called authelia. [Windl, Ulrich]
On Jun 21, 2024 at 9:12 AM -0400, Windl, Ulrich u.windl@ukr.de, wrote:
Hi!
I have a question related to policy and a user with an expired password and all grace logins consumed, like this:
pwdChangedTime[0]
20231127075102Z
pwdGraceUseTime[0]
20240429142254Z
pwdGraceUseTime[1]
20240430112006Z
pwdGraceUseTime[2]
20240527074731Z
pwdGraceUseTime[3]
20240528114912Z
pwdGraceUseTime[4]
20240528130249Z
pwdFailureTime[0]
20240611082600.348275Z
How can the user change his password? The user cannot log in anymoe, obviously. If the user could log in he would have admin privileges. I had the idea to delete the grace logins via ldapmodify, but the result (for version 2.4) was:
ldap_modify: Constraint violation (19) additional info: pwdGraceUseTime: no user modification allowed
So what are the options (for the user himself and for an admin)?
Regards, Ulrich
We setup authelia to use a “password manager” account which handles the password reset for a user. Plus if you have a ppolicy, you can also implement the policy rules on the frontend side of authelia, so thats a nice feature. But users who need a reset, select “reset password”, input their username and receive an email with a link. Using that link, they are then able to reset their password, and receive a confirmation email that it was successful. You can msg me personally if you have any more questions On Jun 24, 2024 at 2:02 AM -0400, Windl, Ulrich u.windl@ukr.de, wrote:
OK, but how does Authelia manage it?
From: Dave Macias davama@gmail.com Sent: Friday, June 21, 2024 4:28 PM To: openldap-technical openldap-technical@openldap.org; Windl, Ulrich u.windl@ukr.de Subject: [EXT] Re: Q: Reset a locked user's password
We encountered similar issues. At first we had a simple script for reseting own password. Now have a nice self-service frontend with an open source app called authelia. [Windl, Ulrich]
On Jun 21, 2024 at 9:12 AM -0400, Windl, Ulrich u.windl@ukr.de, wrote:
quote_type Hi!
I have a question related to policy and a user with an expired password and all grace logins consumed, like this:
pwdChangedTime[0] 20231127075102Z pwdGraceUseTime[0] 20240429142254Z pwdGraceUseTime[1] 20240430112006Z pwdGraceUseTime[2] 20240527074731Z pwdGraceUseTime[3] 20240528114912Z pwdGraceUseTime[4] 20240528130249Z pwdFailureTime[0] 20240611082600.348275Z
How can the user change his password? The user cannot log in anymoe, obviously. If the user could log in he would have admin privileges. I had the idea to delete the grace logins via ldapmodify, but the result (for version 2.4) was:
ldap_modify: Constraint violation (19) additional info: pwdGraceUseTime: no user modification allowed
So what are the options (for the user himself and for an admin)?
Regards, Ulrich
--On Friday, June 21, 2024 8:55 AM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
ldap_modify: Constraint violation (19)
additional info: pwdGraceUseTime: no user modification allowedSo what are the options (for the user himself and for an admin)?
This may behave differently in later OpenLDAP releases where ppolicy has been significantly reworked. It also may be possible in 2.4 (but I can't say for sure) if you have manage access, and use both manage + relax.
--Quanah
Quanah,
thank you: Adding "-e relax" to ldapmodify did the trick.
Ulrich
-----Original Message----- From: Quanah Gibson-Mount quanah@fast-mail.org Sent: Friday, June 21, 2024 6:12 PM To: Windl, Ulrich u.windl@ukr.de; openldap-technical <openldap- technical@openldap.org> Subject: [EXT] Re: Q: Reset a locked user's password
--On Friday, June 21, 2024 8:55 AM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
ldap_modify: Constraint violation (19)
additional info: pwdGraceUseTime: no user modification allowedSo what are the options (for the user himself and for an admin)?
This may behave differently in later OpenLDAP releases where ppolicy has been significantly reworked. It also may be possible in 2.4 (but I can't say for sure) if you have manage access, and use both manage + relax.
--Quanah
openldap-technical@openldap.org
-
Dave Macias -
Quanah Gibson-Mount -
Windl, Ulrich