Hello,
I have setup password policy for user account to enforce a few things:
passwordchange: on passwordchecksyntax: on passwordexp: on passwordlockout: on passwordlockoutduration: 180 passwordmaxage: 7 passwordmaxfailure: 3 passwordmustchange: on passwordwarning: 518400
With that policy on a user account, I changed one user's password from 389 console. It basically resets user's password.
When user login, user gets "Password expired. Change your password now." prompt. The user goes through prompt to change the password. Then user gets login shell successfully. User then logout.
Next time when user login again, the user still gets "Password expired. Change your password now." prompt. It appears 'passwordexpirationtime' attribute is set to the very first time when user changed password, but never set to password change time + 7 days, as the policy is configured.
What went wrong in my previous procedure? How do I get passwordexpirationtime set to correct time when user change their password from administrative reset?
Thanks, - xinhuan
On 02/28/2017 11:40 AM, xinhuan zheng wrote:
Hello,
I have setup password policy for user account to enforce a few things:
passwordchange: on passwordchecksyntax: on passwordexp: on passwordlockout: on passwordlockoutduration: 180 passwordmaxage: 7
Please take a look at the Doc. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht...
3.1.1.182. passwordMaxAge (Password Maximum Age)
Valid Range 1 to the maximum 32 bit integer value (2147483647) in seconds
passwordmaxfailure: 3 passwordmustchange: on passwordwarning: 518400
With that policy on a user account, I changed one user's password from 389 console. It basically resets user's password.
When user login, user gets "Password expired. Change your password now." prompt. The user goes through prompt to change the password. Then user gets login shell successfully. User then logout.
Next time when user login again, the user still gets "Password expired. Change your password now." prompt. It appears 'passwordexpirationtime' attribute is set to the very first time when user changed password, but never set to password change time + 7 days, as the policy is configured.
What went wrong in my previous procedure? How do I get passwordexpirationtime set to correct time when user change their password from administrative reset?
Thanks,
- xinhuan
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
passwordMaxAge can be expressed by days. I set it to 60 (days) before and it did work as expected. The only thing that blocks me is when password needs to change. my hope is that upon user being prompted for changing password and doing so, the passwordexpirationtime would be changed accordingly to the time of current + passwordMaxAge but that didn't happen automatically. I have found that I must set passwordmustchange to off and set passwordexpirationtime to 19700101000000Z (time 0). Once that step is done, the next time when user login, the passwordexpirationtime would be set to new and correct time.
That would mean every user changing password would need administrative intervention. That seems not right. What would be a better way to handle passwordexpirationtime?
389-users@lists.fedoraproject.org