Re: [Freeipa-users] Force to change password in first login
I've used this to extend the password expiration. It should work for setting an expired password expiration. You have to hit enter twice after the krbPasswordExpiration: 2013100800Z line. # ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 2013100800Z modifying entry uid=username,cn=users,cn=accounts,dc=example,dc=com ctrl-d On Tue, 2013-10-08 at 11:51 -0500, cbul...@gmail.com wrote: Hi All, I created a script to add users to freeipa using ldapadd command and it works great. Now I want to forcibly change the password in the first user login. What attribute do I have to change to accomplish this? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force to change password in first login
Rodney, Thanks!...I forgot it totally... Let me ask you about modify the password using ldapmodify command, I tried changing userPassword attribute with {MD5} encryption and it did not work. ldapmodify -x -H ldap://ipaserver -D cn=directory manager -w 'password' EOF changetype: modify replace: userPassword userPassword: {MD5}QvdJref54ZW/R183pEyvyw== EOF Do I need to modify another attribute?...any clue? Thanks in advance! On 10/08/2013 12:07 PM, Rodney L. Mercer wrote: I've used this to extend the password expiration. It should work for setting an expired password expiration. You have to hit enter twice after the krbPasswordExpiration: 2013100800Z line. # ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 2013100800Z modifying entry uid=username,cn=users,cn=accounts,dc=example,dc=com ctrl-d On Tue, 2013-10-08 at 11:51 -0500, cbul...@gmail.com wrote: Hi All, I created a script to add users to freeipa using ldapadd command and it works great. Now I want to forcibly change the password in the first user login. What attribute do I have to change to accomplish this? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force to change password in first login
I've used grub-md5-crypt to create a password for an openldap server and used this format: # grub-md5-crypt Password: Retype password: $1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1 Here is the ldif that I used to modify the entry on the openldap server: #cat usermod.ldif dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: userPassword userPassword: {crypt}$1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1 I'm not sure if this will work for the directory server that IPA uses? Worth a shot I suppose. Rodney. On Tue, 2013-10-08 at 12:28 -0500, cbul...@gmail.com wrote: Rodney, Thanks!...I forgot it totally... Let me ask you about modify the password using ldapmodify command, I tried changing userPassword attribute with {MD5} encryption and it did not work. ldapmodify -x -H ldap://ipaserver -D cn=directory manager -w 'password' EOF changetype: modify replace: userPassword userPassword: {MD5}QvdJref54ZW/R183pEyvyw== EOF Do I need to modify another attribute?...any clue? Thanks in advance! On 10/08/2013 12:07 PM, Rodney L. Mercer wrote: I've used this to extend the password expiration. It should work for setting an expired password expiration. You have to hit enter twice after the krbPasswordExpiration: 2013100800Z line. # ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 2013100800Z modifying entry uid=username,cn=users,cn=accounts,dc=example,dc=com ctrl-d On Tue, 2013-10-08 at 11:51 -0500, cbul...@gmail.com wrote: Hi All, I created a script to add users to freeipa using ldapadd command and it works great. Now I want to forcibly change the password in the first user login. What attribute do I have to change to accomplish this? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force to change password in first login
Rodney L. Mercer wrote: I've used grub-md5-crypt to create a password for an openldap server and used this format: # grub-md5-crypt Password: Retype password: $1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1 Here is the ldif that I used to modify the entry on the openldap server: #cat usermod.ldif dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: userPassword userPassword: {crypt}$1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1 I'm not sure if this will work for the directory server that IPA uses? Worth a shot I suppose. crypt will work. Or you can pass it in the clear and it will encrypt it for you using the default password scheme, SSHA1 IIRC. rob Rodney. On Tue, 2013-10-08 at 12:28 -0500, cbul...@gmail.com wrote: Rodney, Thanks!...I forgot it totally... Let me ask you about modify the password using ldapmodify command, I tried changing userPassword attribute with {MD5} encryption and it did not work. ldapmodify -x -H ldap://ipaserver -D cn=directory manager -w 'password' EOF changetype: modify replace: userPassword userPassword: {MD5}QvdJref54ZW/R183pEyvyw== EOF Do I need to modify another attribute?...any clue? Thanks in advance! On 10/08/2013 12:07 PM, Rodney L. Mercer wrote: I've used this to extend the password expiration. It should work for setting an expired password expiration. You have to hit enter twice after the krbPasswordExpiration: 2013100800Z line. # ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 2013100800Z modifying entry uid=username,cn=users,cn=accounts,dc=example,dc=com ctrl-d On Tue, 2013-10-08 at 11:51 -0500, cbul...@gmail.com wrote: Hi All, I created a script to add users to freeipa using ldapadd command and it works great. Now I want to forcibly change the password in the first user login. What attribute do I have to change to accomplish this? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force to change password in first login
Thanks Rob and Rodney! Your recommendations worked. On 10/08/2013 12:53 PM, Rob Crittenden wrote: Rodney L. Mercer wrote: I've used grub-md5-crypt to create a password for an openldap server and used this format: # grub-md5-crypt Password: Retype password: $1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1 Here is the ldif that I used to modify the entry on the openldap server: #cat usermod.ldif dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: userPassword userPassword: {crypt}$1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1 I'm not sure if this will work for the directory server that IPA uses? Worth a shot I suppose. crypt will work. Or you can pass it in the clear and it will encrypt it for you using the default password scheme, SSHA1 IIRC. rob Rodney. On Tue, 2013-10-08 at 12:28 -0500, cbul...@gmail.com wrote: Rodney, Thanks!...I forgot it totally... Let me ask you about modify the password using ldapmodify command, I tried changing userPassword attribute with {MD5} encryption and it did not work. ldapmodify -x -H ldap://ipaserver -D cn=directory manager -w 'password' EOF changetype: modify replace: userPassword userPassword: {MD5}QvdJref54ZW/R183pEyvyw== EOF Do I need to modify another attribute?...any clue? Thanks in advance! On 10/08/2013 12:07 PM, Rodney L. Mercer wrote: I've used this to extend the password expiration. It should work for setting an expired password expiration. You have to hit enter twice after the krbPasswordExpiration: 2013100800Z line. # ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=username,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 2013100800Z modifying entry uid=username,cn=users,cn=accounts,dc=example,dc=com ctrl-d On Tue, 2013-10-08 at 11:51 -0500, cbul...@gmail.com wrote: Hi All, I created a script to add users to freeipa using ldapadd command and it works great. Now I want to forcibly change the password in the first user login. What attribute do I have to change to accomplish this? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users