[SOLVED]How edit user's password by hand

[dodo]

Is there any command to edit the user's password?

[christian]

  can't you set it using CLI ?

[dodo]

I need to create a script that changes the password after a certain time..

[christian]

Using a script you can do it using LDAP command...

However, if I had choice, I would not do it    this means that:
- either you compute password then is computation rule is known, it jeopardize all your security policy
- or you transmit new password to user using paper (because as his/her password is new, (s)he should not be able to access secure place to read it (like, say, email)

Better approach would be to promote password expiration approach, forcing user to change his/her password.
Well, at least this is my own personal view 

[ichat]

doens't ldap auth  let  you set is_expired  to a given passwd.   if thats true than  you dont set the new password but have the user do it on news login...

[christian]

yes, this could be done... although this is not LDAP related... well, not at protocol level 
LDAP protocol doesn't permit anything like this, thus each LDAP server implements its own solution to handle password policy and enforce this.
OpenLDAP soplution is based on "ppolicy" overlay (yes this is an overlay. As I wrote, not part of LDAP protocol).

I'm not aware such overlay is installed and configured with current Zentyal version

[stuartiannaylor]

Christian because 3.0 is still RC-1 but I presume being an AD controller then password expiry will be part of the norm?

That is why I say presume as I haven't enough knowledge yet but I think its a fair bet it will.

[dodo]

Better approach would be to promote password expiration approach, forcing user to change his/her password.
Well, at least this is my own personal view 

I need to force the user to ask me the new password

[dodo]

Ok I'm close to the solution:

ldappasswd -x -vv -s password1 -w password2 -D cn=ebox,dc=ubuntu uid=user1,ou=Users,dc=ubuntu

password 1 = new user password
password 2 = ldap password  ( /etc/ldap.secret )
Ok this works. tested

now with at command I can set : at 4am + 15days -m ldappasswd -x -vv -s password -w password -D cn=ebox,dc=ubuntu uid=user1,ou=Users,dc=ubuntu

[christian]

  you are not supposed to know user's password 
Is there ever any audit in your company 

Furthermore, if in the meantime, user changes his password, your script doesn't work anymore 
If you still want to rely on this kind of approach, then you should rather use an account granted with "admin" rights 

[dodo]

you are not supposed to know user's password 

The command asks to you to prompt a  new password for the user and does not asks the old user's password

When you have used the script, the user is no more able to log in the user corner because the password has been changed by you.

[christian]

You're correct, I was a bit too fast reading your command. 

My point here was, but it perhaps doesn't matter in your organization, that in most of "standard" companies, user password is not supposed to be stored elsewhere and not supposed to be known by anyone except user itself.
Thus process, when password is rest by help-desk service or an administrator, it to trigger "password change" control so that final password is different from the new one.
With your process, at least for what I understand, you will have either to set same value (new password) for all users (in such case any user can authenticate with any account) or store specific password for each user, then this file is clearly the weak point. Furthermore, at least till Zentyal 2.2, there is no trigger to enforce "password change".

Anyway, what matters is that what you design match your company's policies    my point was just from theoretical standpoint 

[dodo]

I was thinking of using a unique password for the reset command. this password is kept secret on the server and will not be communicated to anyone.

If the user wants to continue to use the service, will make a request to the help desk which will generate a new password specific to him