Results 1 to 7 of 7

Thread: [SOLVED] COS level - if 1st login, force user change pass.

  1. #1
    Join Date
    Jan 2009
    Posts
    65
    Rep Power
    6

    Default [SOLVED] COS level - if 1st login, force user change pass.

    Hi all,

    While there is a way to force a specific user to change their pass upon 1st log in, is there a way to do it globally/at the COS level?

    I'm trying to automate account creation.

    * This can be done in Exchange and Communigate

  2. #2
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    zmprov mc COSname zimbraPasswordMustChange TRUE

    --Edit1--

    Actually it's not available on COS or domain:
    <attr id="41" name="zimbraPasswordMustChange" type="boolean" cardinality="single" optionalIn="account" flags="domainAdminModifiable">
    <desc>must change password on auth</desc>
    </attr>
    I don't see an RFE on having zimbraPasswordMustChange in the COS or domain level, so you feel free to open one in bugzilla if you want.

    So either script it into the account creation:
    Code:
    zmprov ca user@domain.com tempPassword zimbraPasswordMustChange TRUE                      
    zmprov ca user@domain.com '' zimbraPasswordMustChange TRUE
    OR get a list of all users in a COS then apply it to them:
    Code:
    zmprov gc COSName | grep zimbraId
    zmprov sa zimbraCOSId=string > accounts.txt
    More methods here http://www.zimbra.com/forums/adminis...alias-etc.html like:
    zmprov gac -v | grep -e cn: -e zimbraId
    zmprov gaa -v | grep -e mail: -e zimbraCOSId | grep -B1 PutCOSIdStringHere | grep mail: | awk '{print $2}'
    Check that file to make sure you didn't hit Bug 29763 - Missing zimbraCOSId when set to auto
    Then take that list back in:
    zmprov < file.txt where file.txt contains ma user@domain.com zimbraPasswordMustChange TRUE

    ---Edit2---

    Even easier do:
    Code:
    zmprov gc COSName | grep zimbraId
    nano /opt/zimbra/somewhere/script.sh
    -copy the below & save
    -make the file readable & executable with chmod
    -then run ./script.sh as root or zimbra

    Code:
    #!/bin/bash
    for i in `/opt/zimbra/bin/zmprov sa zimbraCOSId=IDStringHERE`
    do
      echo $i
      /opt/zimbra/bin/zmprov ma $i zimbraPasswordMustChange TRUE
    done
    Last edited by mmorse; 03-24-2009 at 07:15 PM.

  3. #3
    Join Date
    Jan 2009
    Posts
    65
    Rep Power
    6

    Default

    Mike,

    Thank you sooo much, yoda man! You just made my life much easier.

    I got this message from a buddy of mine who asked tech support;

    I am sorry but a feature of such sort is not available at the cos level. However while creating an account you can select that option in the Admin console. And if you are using CLI then you can use the following command to enforce password change at first login:

    zmprov ca user@domain.com <password> zimbraPasswordMustChange 'TRUE'

    Thanks and Regards,

  4. #4
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    I gather you saw my edits on setting it during account creation, but wanted to point out it can be done via simple script even if already provisioned - assuming your not suffering from bug Bug 29763 - Missing zimbraCOSId when set to auto or something it's an easy:
    Code:
    zmprov gc COSName | grep zimbraId
    nano /opt/zimbra/somewhere/script.sh
    -copy the below & save
    -make the file readable & executable with chmod
    -then run ./script.sh as root or zimbra

    Code:
    #!/bin/bash
    for i in `/opt/zimbra/bin/zmprov sa zimbraCOSId=PutIDStringHere`
    do
      echo $i
      /opt/zimbra/bin/zmprov ma $i zimbraPasswordMustChange TRUE
    done
    Last edited by mmorse; 03-24-2009 at 07:14 PM.

  5. #5
    Join Date
    Jan 2009
    Posts
    65
    Rep Power
    6

    Default

    Hi Mike,

    Thanks for the reply.

    I would like to add he zmprov ca zimbraPasswordMustChange TRUE to my zmexternaldirsync script but am unsure where to put it.

    I searched for zmprov ca but it appears that the only instance of zmprov ca is for logging purposes.

    However there are many zmprov instances in the file.

    You mind looking at zmexternaldirsync to suggest were I should place it?

    I understand that this is advice that is "as is" so iI won't be nagging you. however I just need a nudge in the right direction.

    Let me know and I can post the script for you.

  6. #6
    Join Date
    Jan 2009
    Posts
    65
    Rep Power
    6

    Default

    Hi Mike,

    Looks like I hit that bug.

    How do I un-set class of service to auto?

    When I run /opt/zimbra/bin/zmprov sa zimbraCOSId=mycosid#

    Nothing comes back.

    I got the COSId by doing;

    zmprov gc COSName | grep zimbraId
    Last edited by aurfalien; 03-26-2009 at 03:49 PM.

  7. #7
    Join Date
    Jan 2009
    Posts
    65
    Rep Power
    6

    Default

    I'm posting this for anyone following this thread.

    I use an external LDAP directory and have Zimbra syncing accounts off of it.

    The script; zmexternaldirsync is very useful for this however I modified the following line so that all users who get provisioned are forced to change there password upon 1st login to Zimbra webmail;

    line 1969 of zmexernaldirsync

    change line from;

    print ZMPROV "ca $str\n";

    to;

    print ZMPROV "ca $str zimbraPasswordMustChange TRUE\n";

    The zmexternaldirsync script allows you to force a single password for all accounts that get provisioned. I set this password to be generic so that users can login to Zimbra and change it.

    I also setup Drupal so that the same type of policy holds true for there external LDAP accounts as well.

Similar Threads

  1. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  2. Getting problems in FC4 while instalation
    By kitty_bhoo in forum Installation
    Replies: 13
    Last Post: 09-12-2006, 10:34 PM
  3. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 06:38 PM
  4. Another installation ldap problem
    By genesis in forum Installation
    Replies: 10
    Last Post: 12-24-2005, 06:02 AM
  5. Network edition - strange behavior
    By goetzi in forum Installation
    Replies: 6
    Last Post: 11-16-2005, 02:08 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •