RE: Tips when implementing password policies

[Chris Jacobs <Chris.Jacobs@apollogrp.edu>]

At the risk of sounding like a nitwit (I suspect it may be too late for that - heh) - how?

I've tried an ldif, and slapcat and complains of key/data pairs existing - Apache Directory Studio reports LDAP: error code 19 - pwdChangedTime: no user modification allowed.

I supposed I /could/ dump the user branch, add the attribute, delete them from ldap and readd them via the LDIF - but that seems like using a sledgehammer to set a pin.

I /really/ appreciate everyone's input/help.

Thanks,
- chris

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@zimbra.com]
Sent: Tuesday, March 23, 2010 8:21 PM
To: Chris Jacobs; 'hyc@symas.com'
Cc: 'tgates81@gmail.com'; 'openldap-technical@openldap.org'
Subject: Re: Tips when implementing password policies

--On Tuesday, March 23, 2010 7:37 PM -0700 Chris Jacobs
<Chris.Jacobs@apollogrp.edu> wrote:

> Okay, it says:
> "If pwdChangedTime does not exist, the user's password will not expire."
>
> How have you guys dealt with this?  I suspect that just asking people to
> please change their passwords so we can make sure they expire will result
> in a low turn-out rate. :p
>
> I also don't want people to just end-up locked out either, if at all
> possible.
>
> Thoughts?

Find all objects without that attribute, and add it.  This will force all
users who previously didn't have it to have to change their password once
that expiration time is reached.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.