[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-directory-users
Subject: Re: [389-users] Determine when a password is about to expire
From: James Roman <james.roman () ssaihq ! com>
Date: 2011-01-24 14:26:06
Message-ID: 4D3D8BFE.3010700 () ssaihq ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
When I went through this exercise, I learned that PHP alone was not
going to work well, especially if you ever need to use password
synchronization with another password system (I.E. AD sync). The PHP way
of changing LDAP password essentially involves encrypting and encoding
the password within your PHP application and writing that encrypted and
encoded password directly to the user's password attribute. This
prevents password synchronization to external systems. Ideally you want
to use the ldapv3 ldappasswd mechanism for changing your password within
the directory. That way the directory can read and propagate password
changes correctly. Since PHP did not contain a ldappasswd module, I
ended up writing a PHP front-end which passes the authentication request
to separate Perl script to actually change the password. There is a
similar sourceforge project called locksmith, but it also does the
password changes the wrong way (and encodes shorter passwords
improperly, if I remember correctly.)
On 01/21/2011 04:01 PM, harry.devine@faa.gov wrote:
>
> I'm using PHP since I'm trying to make a web-based mechanism for our
> users to change their passwords. Many of them aren't exactly
> tech-savvy, and are used to the old Windows way of logging into our
> Windows machine, and being told that they must change their password.
> I'm trying to come up with a way to do that for them.
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218
> Harry.Devine@faa.gov
>
>
> From: Rich Megginson <rmeggins@redhat.com>
> To: 389-users@lists.fedoraproject.org
> Date: 01/21/2011 03:18 PM
> Subject: Re: [389-users] Determine when a password is about to expire
> Sent by: 389-users-bounces@lists.fedoraproject.org
>
>
> ------------------------------------------------------------------------
>
>
>
> On 01/21/2011 12:20 PM, Aaron Hagopian wrote:
> Harry,
>
> This is the pattern I use to parse the date in java:
> "yyyyMMddHHmmss'Z'". You can probably deduce what the values
> represent by looking at the pattern. Also the times are stored in UTC
> so you'll probably want to convert that to the local timezone if
> you're going to display the date/time to the user.
>
> Aaron
>
> 2011/1/21 <_harry.devine@faa.gov_ <mailto:harry.devine@faa.gov>>
>
> I can get the passwordexpirationtime value, but I'm unsure what you
> mean by "set the password expiration to occur immediately". I'm
> coming from the Windows world, so I'm used to the "User must change
> password at next logon" checkbox. I don't see that anywhere on the
> GUI, so I'm unclear how you set that.
>
> Also, how do I manipulate the dates? I get something similar to
> 20110122161029Z (for example) for passwordexpirationtime. How do I
> convert that to a proper date format?
> What programming language are you using?_
> __http://en.wikipedia.org/wiki/ISO_8601_- the format is used with no
> separators (e.g. 20110122 instead of 2011-01-22) and no "T" between
> the date and the time.
> Also, I just changed my account's password while testing, and I see
> that passwordexpirationtime got reset to 19700101000000Z. What does
> the 1970xxx value represent?
> That is a special value meaning the password needs to be changed.
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine@faa.gov_ <mailto:Harry.Devine@faa.gov>
>
> From: James Roman <_james.roman@ssaihq.com_
> <mailto:james.roman@ssaihq.com>>
> To: _389-users@lists.fedoraproject.org_
> <mailto:389-users@lists.fedoraproject.org>
> Date: 01/21/2011 10:17 AM
> Subject: Re: [389-users] Determine when a password is about to expire
> Sent by: _389-users-bounces@lists.fedoraproject.org_
> <mailto:389-users-bounces@lists.fedoraproject.org>
>
>
>
> ------------------------------------------------------------------------
>
>
>
>
> Most LDAP servers use a different schema than the Microsoft version
> and work from the opposite direction. Try querying
> "passwordexpirationtime". You can do a search for the specific
> password schema with the following info: 2.16.840.1.113730.3.2.12
> passwordObject
>
> I think it is more common to:
> 1. administratively set the password on a user account
> 2. set the password expiration to occur immediately.
> 3. set the passwordGraceUserTime for a time period that allows the
> user to log in solely to change their password.
>
> However, you must explicitly program your site to gracefully handle
> this situation (condition where passwordexpirationtime < now <
> passwordGraceUserTime) , since the user's LDAP authentication attempt
> against the directory will fail (with an error indicating the password
> has expired).
>
> On 01/21/2011 09:45 AM, _harry.devine@faa.gov_
> <mailto:harry.devine@faa.gov>wrote:
>
> I am in the process of creating a web-based mechanism to allow our
> users to change their password on our new 389-ds server. I would like
> to display the date that their password is due to expire, and while
> Googling around, I see a lot of references to pwdLastSet, but about
> 95% of the articles are referring to Active Directory. I don't see
> pwdLastSet amongst the attributes in my default 389-ds setup. Is it
> there, or do I have to add that attribute to every account?
>
> Also, I currently have my pages set up where, when the user logs in,
> it detects our 'default' password and forces them to change it. Is
> there some attribute in their account that I can set that I can key
> off of and force them to change their password when they login to my site?
>
> Thanks for any tips!
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine@faa.gov_ <mailto:Harry.Devine@faa.gov>
>
>
> --
> 389 users mailing list_
> __389-users@lists.fedoraproject.org_
> <mailto:389-users@lists.fedoraproject.org>_
> __https://admin.fedoraproject.org/mailman/listinfo/389-users_
> --
> 389 users mailing list_
> __389-users@lists.fedoraproject.org_
> <mailto:389-users@lists.fedoraproject.org>_
> __https://admin.fedoraproject.org/mailman/listinfo/389-users_
>
>
> --
> 389 users mailing list_
> __389-users@lists.fedoraproject.org_
> <mailto:389-users@lists.fedoraproject.org>_
> __https://admin.fedoraproject.org/mailman/listinfo/389-users_
>
>
>
> --
> 389 users mailing list
> _389-users@lists.fedoraproject.org_
> <mailto:389-users@lists.fedoraproject.org>
> _https://admin.fedoraproject.org/mailman/listinfo/389-users_
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
When I went through this exercise, I learned that PHP alone was not
going to work well, especially if you ever need to use password
synchronization with another password system (I.E. AD sync). The PHP
way of changing LDAP password essentially involves encrypting and
encoding the password within your PHP application and writing that
encrypted and encoded password directly to the user's password
attribute. This prevents password synchronization to external
systems. Ideally you want to use the ldapv3 ldappasswd mechanism for
changing your password within the directory. That way the directory
can read and propagate password changes correctly. Since PHP did not
contain a ldappasswd module, I ended up writing a PHP front-end
which passes the authentication request to separate Perl script to
actually change the password. There is a similar sourceforge project
called locksmith, but it also does the password changes the wrong
way (and encodes shorter passwords improperly, if I remember
correctly.) <br>
<br>
On 01/21/2011 04:01 PM, <a class="moz-txt-link-abbreviated" \
href="mailto:harry.devine@faa.gov">harry.devine@faa.gov</a> wrote: <blockquote
cite="mid:OF5FE3CB2F.A603E7D0-ON8525781F.00735246-8525781F.00737859@faa.gov"
type="cite">
<br>
<font face="sans-serif" size="2">I'm using PHP since I'm trying to
make
a web-based mechanism for our users to change their passwords.
Many
of them aren't exactly tech-savvy, and are used to the old
Windows way
of logging into our Windows machine, and being told that they
must change
their password. I'm trying to come up with a way to do that for
them.</font>
<br>
<br>
<font face="sans-serif" size="2">Thanks,</font>
<br>
<font face="sans-serif" size="2">Harry</font>
<br>
<br>
<font face="sans-serif" size="2">Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218<br>
<a class="moz-txt-link-abbreviated" \
href="mailto:Harry.Devine@faa.gov">Harry.Devine@faa.gov</a></font> <br>
<br>
<br>
<table width="100%">
<tbody>
<tr valign="top">
<td><font color="#5f5f5f" face="sans-serif" size="1">From:</font>
</td>
<td><font face="sans-serif" size="1">Rich Megginson
<a class="moz-txt-link-rfc2396E" \
href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a></font> <br>
</td>
</tr>
<tr valign="top">
<td><font color="#5f5f5f" face="sans-serif" size="1">To:</font>
</td>
<td><font face="sans-serif" size="1"><a class="moz-txt-link-abbreviated" \
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a></font>
</td>
</tr>
<tr valign="top">
<td><font color="#5f5f5f" face="sans-serif" size="1">Date:</font>
</td>
<td><font face="sans-serif" size="1">01/21/2011 03:18 PM</font>
</td>
</tr>
<tr valign="top">
<td><font color="#5f5f5f" face="sans-serif" size="1">Subject:</font>
</td>
<td><font face="sans-serif" size="1">Re: [389-users]
Determine when a password
is about to expire</font>
</td>
</tr>
<tr valign="top">
<td><font color="#5f5f5f" face="sans-serif" size="1">Sent
by:</font>
</td>
<td><font face="sans-serif" size="1"><a class="moz-txt-link-abbreviated" \
href="mailto:389-users-bounces@lists.fedoraproject.org">389-users-bounces@lists.fedoraproject.org</a></font></td>
</tr>
</tbody>
</table>
<br>
<hr noshade="noshade">
<br>
<br>
<br>
<font size="3">On 01/21/2011 12:20 PM, Aaron Hagopian wrote: </font>
<br>
<font size="3">Harry, </font>
<br>
<br>
<font size="3">This is the pattern I use to parse the date in
java: "yyyyMMddHHmmss'Z'".
You can probably deduce what the values represent by looking at
the
pattern. Also the times are stored in UTC so you'll probably
want
to convert that to the local timezone if you're going to display
the date/time
to the user. </font>
<br>
<br>
<font size="3">Aaron</font>
<br>
<br>
<font size="3">2011/1/21 <</font><a moz-do-not-send="true"
href="mailto:harry.devine@faa.gov"><font color="blue" \
size="3"><u>harry.devine@faa.gov</u></font></a><font size="3">></font>
<br>
<font face="sans-serif" size="2"><br>
I can get the passwordexpirationtime value, but I'm unsure what
you mean
by "set the password expiration to occur immediately". I'm
coming from the Windows world, so I'm used to the "User must
change
password at next logon" checkbox. I don't see that anywhere
on the GUI, so I'm unclear how you set that.</font><font
size="3"> <br>
</font><font face="sans-serif" size="2"><br>
Also, how do I manipulate the dates? I get something similar to
20110122161029Z
(for example) for passwordexpirationtime. How do I convert that
to
a proper date format?</font>
<br>
<font size="3">What programming language are you using?</font><font
color="blue" size="3"><u><br>
</u></font><a moz-do-not-send="true"
href="http://en.wikipedia.org/wiki/ISO_8601"><font color="blue"
size="3"><u>http://en.wikipedia.org/wiki/ISO_8601</u></font></a><font
size="3">
- the format is used with no separators (e.g. 20110122 instead
of 2011-01-22)
and no "T" between the date and the time.</font>
<br>
<font face="sans-serif" size="2">Also, I just changed my account's
password
while testing, and I see that passwordexpirationtime got reset
to 19700101000000Z.
What does the 1970xxx value represent?</font><font size="3"> </font>
<br>
<font size="3">That is a special value meaning the password needs
to
be changed.</font>
<br>
<font face="sans-serif" size="2"><br>
Thanks,</font><font size="3"> </font>
<br>
<font face="sans-serif" size="2">Harry</font><font size="3"> <br>
</font><font face="sans-serif" size="2"><br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font color="blue" face="sans-serif"
size="2"><u><br>
</u></font><a moz-do-not-send="true"
href="mailto:Harry.Devine@faa.gov" target="_blank"><font
color="blue" face="sans-serif" \
size="2"><u>Harry.Devine@faa.gov</u></font></a><font size="3">
<br>
<br>
</font>
<table width="100%">
<tbody>
<tr valign="top">
<td width="13%"><font color="#5f5f5f" face="sans-serif"
size="1">From:</font><font size="3">
</font>
</td>
<td width="86%"><font face="sans-serif" size="1">James Roman
<</font><a moz-do-not-send="true"
href="mailto:james.roman@ssaihq.com" target="_blank"><font
color="blue" face="sans-serif" \
size="1"><u>james.roman@ssaihq.com</u></font></a><font face="sans-serif" \
size="1">></font><font size="3"> </font>
</td>
</tr>
<tr valign="top">
<td><font color="#5f5f5f" face="sans-serif" size="1">To:</font><font
size="3">
</font>
</td>
<td><a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org"
target="_blank"><font color="blue" face="sans-serif"
size="1"><u>389-users@lists.fedoraproject.org</u></font></a><font
size="3">
</font>
</td>
</tr>
<tr valign="top">
<td><font color="#5f5f5f" face="sans-serif" size="1">Date:</font><font
size="3">
</font>
</td>
<td><font face="sans-serif" size="1">01/21/2011 10:17 AM</font><font
size="3">
</font>
</td>
</tr>
<tr valign="top">
<td><font color="#5f5f5f" face="sans-serif" size="1">Subject:</font><font
size="3">
</font>
</td>
<td><font face="sans-serif" size="1">Re: [389-users]
Determine when a password
is about to expire</font><font size="3"> </font>
</td>
</tr>
<tr valign="top">
<td><font color="#5f5f5f" face="sans-serif" size="1">Sent
by:</font><font size="3">
</font>
</td>
<td><a moz-do-not-send="true"
href="mailto:389-users-bounces@lists.fedoraproject.org"
target="_blank"><font color="blue" face="sans-serif"
size="1"><u>389-users-bounces@lists.fedoraproject.org</u></font></a></td>
</tr>
</tbody>
</table>
<br>
<font size="3"><br>
</font>
<hr noshade="noshade">
<br>
<font size="3"><br>
<br>
<br>
Most LDAP servers use a different schema than the Microsoft
version and
work from the opposite direction. Try querying
"passwordexpirationtime".
You can do a search for the specific password schema with the
following
info: 2.16.840.1.113730.3.2.12 passwordObject<br>
<br>
I think it is more common to:<br>
1. administratively set the password on a user account<br>
2. set the password expiration to occur immediately.<br>
3. set the passwordGraceUserTime for a time period that allows
the user
to log in solely to change their password.<br>
<br>
However, you must explicitly program your site to gracefully
handle this
situation (condition where passwordexpirationtime < now <
passwordGraceUserTime)
, since the user's LDAP authentication attempt against the
directory will
fail (with an error indicating the password has expired).<br>
<br>
On 01/21/2011 09:45 AM, </font><a moz-do-not-send="true"
href="mailto:harry.devine@faa.gov" target="_blank"><font
color="blue" size="3"><u>harry.devine@faa.gov</u></font></a><font
size="3">
wrote: </font><font face="sans-serif" size="2"><br>
<br>
I am in the process of creating a web-based mechanism to allow
our users
to change their password on our new 389-ds server. I would like
to
display the date that their password is due to expire, and while
Googling
around, I see a lot of references to pwdLastSet, but about 95%
of the articles
are referring to Active Directory. I don't see pwdLastSet
amongst
the attributes in my default 389-ds setup. Is it there, or do I
have
to add that attribute to every account?</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
<br>
Also, I currently have my pages set up where, when the user logs
in, it
detects our 'default' password and forces them to change it. Is
there
some attribute in their account that I can set that I can key
off of and
force them to change their password when they login to my site?</font><font
size="3">
</font><font face="sans-serif" size="2"><br>
<br>
Thanks for any tips!</font><font size="3"> </font><font
face="sans-serif" size="2"><br>
Harry</font><font size="3"> </font><font face="sans-serif"
size="2"><br>
<br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font color="blue" size="3"><u><br>
</u></font><a moz-do-not-send="true"
href="mailto:Harry.Devine@faa.gov" target="_blank"><font
color="blue" face="sans-serif" \
size="2"><u>Harry.Devine@faa.gov</u></font></a><font size="3">
</font><tt><font size="3"><br>
<br>
<br>
--<br>
389 users mailing list</font></tt><font color="blue" size="3"><u><br>
</u></font><a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org" target="_blank"><tt><font
color="blue" \
size="3"><u>389-users@lists.fedoraproject.org</u></font></tt></a><font color="blue" \
size="3"><u><br> </u></font><a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
target="_blank"><tt><font color="blue" \
size="3"><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></tt></a><font
size="3">
</font><tt><font size="2"><br>
--<br>
389 users mailing list</font></tt><tt><font color="blue"
size="2"><u><br>
</u></font></tt><a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org" target="_blank"><tt><font
color="blue" \
size="2"><u>389-users@lists.fedoraproject.org</u></font></tt></a><font color="blue" \
size="3"><u><br> </u></font><a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
target="_blank"><tt><font color="blue" \
size="2"><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></tt></a><font
size="3">
<br>
</font>
<br>
<font size="3"><br>
--<br>
389 users mailing list</font><font color="blue" size="3"><u><br>
</u></font><a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org"><font
color="blue" \
size="3"><u>389-users@lists.fedoraproject.org</u></font></a><font color="blue" \
size="3"><u><br> </u></font><a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
target="_blank"><font color="blue" \
size="3"><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></a> \
<br> <br>
<tt><font size="3"><br>
<br>
--<br>
389 users mailing list<br>
</font></tt><a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org"><tt><font
color="blue" \
size="3"><u>389-users@lists.fedoraproject.org</u></font></tt></a><tt><font \
size="3"><br> </font></tt><a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"><tt><font
color="blue" \
size="3"><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></tt></a>
<br>
<tt><font size="2">--<br>
389 users mailing list<br>
<a class="moz-txt-link-abbreviated" \
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
</font></tt><a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"><tt><font
size="2">https://admin.fedoraproject.org/mailman/listinfo/389-users</font></tt></a>
<br>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
--
389 users mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a> \
<a class="moz-txt-link-freetext" \
href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic