bonne Absent Member.
Absent Member.
1410 views

Disable forced password for all users plus disable password

All users are forces to change password within 3 months. I want to:

1) disable this forced password change and
2) disable users to change passwords themself (password should only be changed by an administrator)

Of coarse I can do this in iManager for every single user... but I would like a way to do it on top level for all users in one go.

Anyone?

Regards, Lars.
Labels (1)
0 Likes
9 Replies
Knowledge Partner
Knowledge Partner

Re: Disable forced password for all users plus disable password

Setup a Universal Password policy that prevents password changes by users
(checkbox, non-default, and seldom-changed, but it works) and then be sure
the UP policy does no have an expiration date defined so that there is no
longer a forced password change.

The only catch may be that if users already have a 'Password Expiration
Time' defined, you will need to clear that. That's simple enough too.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
bonne Absent Member.
Absent Member.

Re: Disable forced password for all users plus disable passw

ab;2422420 wrote:
Setup a Universal Password policy that prevents password changes by users
(checkbox, non-default, and seldom-changed, but it works) and then be sure
the UP policy does no have an expiration date defined so that there is no
longer a forced password change.

The only catch may be that if users already have a 'Password Expiration
Time' defined, you will need to clear that. That's simple enough too.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...


Ok - I have found the policies... I will set the prevent password change there.

How to clear the Password Expiration time? Same place? Just set it to 3600 days? Or?

Regards, Lars.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Disable forced password for all users plus disable password

To prevent password expiration, uncheck the checkbox that sets up the
passwords to expire. This will NOT clear existing expiration attributes
on users, but you could do that with a quick export/import via LDAP with a
little scripting in between.

The scripting may look like this; in summary you export users who have a
passwordExpirationTime attribute value, and then you tell LDAP to delete
that attribute on those users; run this directly on the box hosting
eDirectory for simplicity, and put in your admin DN and passwords where
applicable:


#Get the DNs of users with passwordExpirationTime set to something:
ldapsearch -x -LLL -D cn=admin,o=here -w 'passwordHere'
'passwordExpirationTime=*' dn

#Also modify the output to be formatted to delete passwordExpirationTime:
ldapsearch -x -LLL -D cn=admin,o=here -w 'passwordHere'
'passwordExpirationTime=*' dn | sed -e 's/\(dn:.*\)/\1\nchangetype:
modify\ndelete: passwordExpirationTime/'

#Add on an ldapmodify command to do the same thing, but then pump the
#generated text back in to actually do the cleanup of those objects.

ldapsearch -x -LLL -D cn=admin,o=here -w 'passwordHere'
'passwordExpirationTime=*' dn | sed -e 's/\(dn:.*\)/\1\nchangetype:
modify\ndelete: passwordExpirationTime/' | ldapmodify -x -D
cn=admin,o=here -w 'passwordHere' -c


Easy peasy.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
bonne Absent Member.
Absent Member.

Re: Disable forced password for all users plus disable passw

ab;2422718 wrote:



#Get the DNs of users with passwordExpirationTime set to something:
ldapsearch -x -LLL -D cn=admin,o=here -w 'passwordHere'
'passwordExpirationTime=*' dn

#Also modify the output to be formatted to delete passwordExpirationTime:
ldapsearch -x -LLL -D cn=admin,o=here -w 'passwordHere'
'passwordExpirationTime=*' dn | sed -e 's/\(dn:.*\)/\1\nchangetype:
modify\ndelete: passwordExpirationTime/'

#Add on an ldapmodify command to do the same thing, but then pump the
#generated text back in to actually do the cleanup of those objects.

ldapsearch -x -LLL -D cn=admin,o=here -w 'passwordHere'
'passwordExpirationTime=*' dn | sed -e 's/\(dn:.*\)/\1\nchangetype:
modify\ndelete: passwordExpirationTime/' | ldapmodify -x -D
cn=admin,o=here -w 'passwordHere' -c


Easy peasy.
.


When you know how to do it, yes... (-;

Running the second command (the one with sed), I get:

sed: -e expression #1, char 27: unterminated `s' command

Not sure how to terminate it... Call Arnold?

Regards, Lars.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Disable forced password for all users plus disable password

Perhaps paste back your command (removing passwords) into the forum using
the CODE tags feature (looks like a # button I think in the web UI) and
show is what you have. I just copied/pasted my command from here, put in
my own credentials, and it worked without a problem.

I would guess you are missing the trailing slash before the close-quote on
the sed command, since that is what the error means.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
bonne Absent Member.
Absent Member.

Re: Disable forced password for all users plus disable passw

ab;2422814 wrote:
Perhaps paste back your command (removing passwords) into the forum using
the CODE tags feature (looks like a # button I think in the web UI) and
show is what you have. I just copied/pasted my command from here, put in
my own credentials, and it worked without a problem.



CODE tag? Hmm... can't find that.

Anyway, I am entering this:

ldapsearch -x -LLL -D cn=admin,o=xxx -w 'xxx' 'passwordExpirationTime=*' dn | sed -e 's/\(dn:.*\)/\1\nchangetype:
modify\ndelete: passwordExpirationTime/'

And getting sed: -e expression #1, char 27: unterminated `s' command

Regards, Lars.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Disable forced password for all users plus disable password

I presume all of that is actually on one line; if not, that's the problem.

Your command works for me as long as I put in my credentials and remove
the newlines.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
bonne Absent Member.
Absent Member.

Re: Disable forced password for all users plus disable passw

ab;2422841 wrote:
I presume all of that is actually on one line; if not, that's the problem.

Your command works for me as long as I put in my credentials and remove
the newlines.



The terminal breaks it into two lines. adding a '>' on the new line.

But beside that, it is pasted directly into the terminal.

Regards, Lars.
0 Likes
bonne Absent Member.
Absent Member.

Re: Disable forced password for all users plus disable passw

ab;2422841 wrote:
I presume all of that is actually on one line; if not, that's the problem.

Your command works for me as long as I put in my credentials and remove
the newlines.


Ok, sorry... Notepad broke it into two lines...

It works, thanks!

Regards, Lars.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.