Hello,
Version 389-Directory/1.3.4.11 B2016.182.1718
I'm trying to implement password expiration policy with no sucess, I've changed my config:
dn: cn=config changetype: modify replace: passwordExp passwordExp: on - replace: passwordMaxAge passwordMaxAge: 120
But after that I'm still able to bind with my(or any) user in 389.
Am I missing something? Also, what attribute 389 uses to control that? I could not see any attribute in my user related to that.
All changes were based on this doc: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/h...
Thanks.
On 10/25/2016 10:37 AM, Alberto Viana wrote:
Hello,
Version 389-Directory/1.3.4.11 http://1.3.4.11 B2016.182.1718
I'm trying to implement password expiration policy with no sucess, I've changed my config:
dn: cn=config changetype: modify replace: passwordExp passwordExp: on
replace: passwordMaxAge passwordMaxAge: 120
But after that I'm still able to bind with my(or any) user in 389.
Am I missing something? Also, what attribute 389 uses to control that? I could not see any attribute in my user related to that.
Additionally, make sure "passwordChange: on" is set in cn=config (so users can change their passwords)
After setting this you must change the password in the entry (this sets the passwordexpirationtime operational attribute in the entry). Then the expiration time will be enforced on future logins for that entry. These settings do not work retroactively.
Hope this helps, Mark
All changes were based on this doc: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/h...
Thanks.
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
On 10/25/2016 11:10 AM, Mark Reynolds wrote:
On 10/25/2016 10:37 AM, Alberto Viana wrote:
Hello,
Version 389-Directory/1.3.4.11 http://1.3.4.11 B2016.182.1718
I'm trying to implement password expiration policy with no sucess, I've changed my config:
dn: cn=config changetype: modify replace: passwordExp passwordExp: on
replace: passwordMaxAge passwordMaxAge: 120
But after that I'm still able to bind with my(or any) user in 389.
Am I missing something? Also, what attribute 389 uses to control that? I could not see any attribute in my user related to that.
Additionally, make sure "passwordChange: on" is set in cn=config (so users can change their passwords)
After setting this you must change the password in the entry (this sets the passwordexpirationtime operational attribute in the entry).
I forgot to mention that you MUST change the password as the user, not "directory manager" or some admin account. Changing the password as directory manager will not set the passwordexpirationtime operational attribute in the entry (as Directory Manager bypasses password policy).
Then the expiration time will be enforced on future logins for that entry. These settings do not work retroactively.
Hope this helps, Mark
All changes were based on this doc: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/h...
Thanks.
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Mark,
Thanks, I will try on it.
One more question, and what about changing password through winsync plugin?
On Tue, Oct 25, 2016 at 1:21 PM, Mark Reynolds mareynol@redhat.com wrote:
On 10/25/2016 11:10 AM, Mark Reynolds wrote:
On 10/25/2016 10:37 AM, Alberto Viana wrote:
Hello,
Version 389-Directory/1.3.4.11 B2016.182.1718
I'm trying to implement password expiration policy with no sucess, I've changed my config:
dn: cn=config changetype: modify replace: passwordExp passwordExp: on
replace: passwordMaxAge passwordMaxAge: 120
But after that I'm still able to bind with my(or any) user in 389.
Am I missing something? Also, what attribute 389 uses to control that? I could not see any attribute in my user related to that.
Additionally, make sure "passwordChange: on" is set in cn=config (so users can change their passwords)
After setting this you must change the password in the entry (this sets the passwordexpirationtime operational attribute in the entry).
I forgot to mention that you MUST change the password as the user, not "directory manager" or some admin account. Changing the password as directory manager will not set the passwordexpirationtime operational attribute in the entry (as Directory Manager bypasses password policy).
Then the expiration time will be enforced on future logins for that entry. These settings do not work retroactively.
Hope this helps, Mark
All changes were based on this doc: https://access.redhat.com/documentation/en-US/Red_Hat_ Directory_Server/9.0/html/Administration_Guide/User_ Account_Management.html#User_Account_Management-Managing_ the_Password_Policy
Thanks.
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
I already tested it, and works as expected,
Thanks.
On Tue, Oct 25, 2016 at 2:24 PM, Alberto Viana albertocrj@gmail.com wrote:
Mark,
Thanks, I will try on it.
One more question, and what about changing password through winsync plugin?
On Tue, Oct 25, 2016 at 1:21 PM, Mark Reynolds mareynol@redhat.com wrote:
On 10/25/2016 11:10 AM, Mark Reynolds wrote:
On 10/25/2016 10:37 AM, Alberto Viana wrote:
Hello,
Version 389-Directory/1.3.4.11 B2016.182.1718
I'm trying to implement password expiration policy with no sucess, I've changed my config:
dn: cn=config changetype: modify replace: passwordExp passwordExp: on
replace: passwordMaxAge passwordMaxAge: 120
But after that I'm still able to bind with my(or any) user in 389.
Am I missing something? Also, what attribute 389 uses to control that? I could not see any attribute in my user related to that.
Additionally, make sure "passwordChange: on" is set in cn=config (so users can change their passwords)
After setting this you must change the password in the entry (this sets the passwordexpirationtime operational attribute in the entry).
I forgot to mention that you MUST change the password as the user, not "directory manager" or some admin account. Changing the password as directory manager will not set the passwordexpirationtime operational attribute in the entry (as Directory Manager bypasses password policy).
Then the expiration time will be enforced on future logins for that entry. These settings do not work retroactively.
Hope this helps, Mark
All changes were based on this doc: https://access.redhat.com/documentation/en-US/Red_Hat_Direct ory_Server/9.0/html/Administration_Guide/User_Account_ Management.html#User_Account_Management-Managing_the_Password_Policy
Thanks.
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
389-users@lists.fedoraproject.org