[Freeipa-users] Force to change password in first login

Rob Crittenden rcritten at redhat.com
Tue Oct 8 17:53:08 UTC 2013 

Rodney L. Mercer wrote:
> I've used grub-md5-crypt to create a password for an openldap server and
> used this format:
> # grub-md5-crypt
> Password:
> Retype password:
> $1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1
>
> Here is the ldif that I used to modify the entry on the openldap server:
>
> #cat usermod.ldif
> dn: uid=username,cn=users,cn=accounts,dc=example,dc=com
> changetype: modify
> replace: userPassword
> userPassword: {crypt}$1$mGzMO1$zF/c9QxKV.ZZXwlvyR8UO1
>
>
> I'm not sure if this will work for the directory server that IPA uses?
>
> Worth a shot I suppose.

crypt will work. Or you can pass it in the clear and it will encrypt it 
for you using the default password scheme, SSHA1 IIRC.

rob

>
> Rodney.
>
>
>
> On Tue, 2013-10-08 at 12:28 -0500, cbulist at gmail.com wrote:
>> Rodney,
>>
>> Thanks!...I forgot it totally...
>>
>> Let me ask you about modify the password using ldapmodify command, I
>> tried changing userPassword attribute with {MD5} encryption and it did
>> not work.
>>
>> ldapmodify -x -H ldap://ipaserver -D "cn=directory manager" -w
>> 'password' <<EOF
>> changetype: modify
>> replace: userPassword
>> userPassword: {MD5}QvdJref54ZW/R183pEyvyw==
>> EOF
>>
>> Do I need to modify another attribute?...any clue?
>>
>> Thanks in advance!
>>
>>
>>
>> On 10/08/2013 12:07 PM, Rodney L. Mercer wrote:
>>> I've used this to extend the password expiration. It "should" work for
>>> setting an expired password expiration. You have to hit enter twice
>>> after the krbPasswordExpiration: 20131008000000Z line.
>>>
>>> # ldapmodify -x -D 'cn=Directory Manager' -W
>>>   Enter LDAP Password:
>>>   dn: uid=username,cn=users,cn=accounts,dc=example,dc=com
>>>   changetype: modify
>>>   replace: krbPasswordExpiration
>>>   krbPasswordExpiration: 20131008000000Z
>>>
>>>
>>> modifying entry
>>> "uid=username,cn=users,cn=accounts,dc=example,dc=com"
>>>
>>> ctrl-d
>>>
>>>
>>>
>>> On Tue, 2013-10-08 at 11:51 -0500, cbulist at gmail.com wrote:
>>>> Hi All,
>>>>
>>>> I created a script to add users to freeipa using ldapadd command and it
>>>> works great. Now I want to forcibly change the password in the first
>>>> user login. What attribute do I have to change to accomplish this?
>>>>
>>>> Thanks!
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list