Okay, it says: "If pwdChangedTime does not exist, the user's password will not expire."
How have you guys dealt with this? I suspect that just asking people to please change their passwords so we can make sure they expire will result in a low turn-out rate. :p
I also don't want people to just end-up locked out either, if at all possible.
Thoughts?
Thanks! - chris
Chris Jacobs, Jr. Unix System Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
----- Original Message ----- From: Howard Chu hyc@symas.com To: Chris Jacobs Cc: 'tgates81@gmail.com' tgates81@gmail.com; 'openldap-technical@openldap.org' openldap-technical@openldap.org Sent: Tue Mar 23 19:27:53 2010 Subject: Re: Tips when implementing password policies
Chris Jacobs wrote:
I've a few accounts that I was testing with - after I set the password
/after/ ppolicy was in place, things work as expected. Password history, # grace auths, etc.
However, for those accounts existing before the ppolicy was in place, no
enforcement - there's no password change date set, nor any other policy items added - other than the pwdpolicysubentry.
Please read the slapo-ppolicy(5) manpage. In particular, read the description of the pwdChangedTime attribute.
One note: early on in the old ldap installations use, inetorgperson wasn't a
class on accounts. Is that necessary for pwdpolicy? Would that make everything else work for the legacy accounts?
I'll send an example LDIF of a test account and a legacy account later.
- chris
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
--On Tuesday, March 23, 2010 7:37 PM -0700 Chris Jacobs Chris.Jacobs@apollogrp.edu wrote:
Okay, it says: "If pwdChangedTime does not exist, the user's password will not expire."
How have you guys dealt with this? I suspect that just asking people to please change their passwords so we can make sure they expire will result in a low turn-out rate. :p
I also don't want people to just end-up locked out either, if at all possible.
Thoughts?
Find all objects without that attribute, and add it. This will force all users who previously didn't have it to have to change their password once that expiration time is reached.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
At the risk of sounding like a nitwit (I suspect it may be too late for that - heh) - how?
I've tried an ldif, and slapcat and complains of key/data pairs existing - Apache Directory Studio reports LDAP: error code 19 - pwdChangedTime: no user modification allowed.
I supposed I /could/ dump the user branch, add the attribute, delete them from ldap and readd them via the LDIF - but that seems like using a sledgehammer to set a pin.
I /really/ appreciate everyone's input/help.
Thanks, - chris
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Tuesday, March 23, 2010 8:21 PM To: Chris Jacobs; 'hyc@symas.com' Cc: 'tgates81@gmail.com'; 'openldap-technical@openldap.org' Subject: Re: Tips when implementing password policies
--On Tuesday, March 23, 2010 7:37 PM -0700 Chris Jacobs Chris.Jacobs@apollogrp.edu wrote:
Okay, it says: "If pwdChangedTime does not exist, the user's password will not expire."
How have you guys dealt with this? I suspect that just asking people to please change their passwords so we can make sure they expire will result in a low turn-out rate. :p
I also don't want people to just end-up locked out either, if at all possible.
Thoughts?
Find all objects without that attribute, and add it. This will force all users who previously didn't have it to have to change their password once that expiration time is reached.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
On Wednesday, 24 March 2010 03:37:15 Chris Jacobs wrote:
Okay, it says: "If pwdChangedTime does not exist, the user's password will not expire."
How have you guys dealt with this?
Just reset the passwords the current values, with something along the lines of:
ldapsearch -x -D $rootdn -W -L "(&(objectclass=posixAccount)(! (pwdChangedTime=*)))" userPassword|ldapmodify
I suspect that just asking people to please change their passwords so we can make sure they expire will result in a low turn-out rate. :p
Depending on how your users access the directory, setting pwdReset to TRUE may be an alternative.
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Chris Jacobs -
Quanah Gibson-Mount