HT203114: If you accidentally lock out an admin in macOS Server
Learn about If you accidentally lock out an admin in macOS Server
-
All replies
-
Helpful answers
-
Jan 16, 2016 4:16 PM in response to Kevin Nealby MrHoffman,Nope. Not from the GUI. Not short of editing the LDAP database directory. If you do decide to edit the LDAP database directly, then look for details on pwdPolicySubentry in the OpenLDAP documentation, and for details of how to create a password policy object. See man slapo-ppolicy and pwdPolicySubentry in the OpenLDAP documentation.
FWIW, the security-testing folks love these situations, because it's always the administrative passwords that are ancient and crufty and stale, and it's these credentials that get embedded into various accessible locations or passed around in email or otherwise exposed. Put another way, if you think it's important for your users to reset their passwords, then it's even more important to reset the most sensitive and powerful logins at least as frequently as the user passwords are changed. (Plus, this also entirely avoids the political repercussions that can arise when the users learn that they're obligated to change, and IT isn't.)
-
Jan 17, 2016 1:24 AM in response to MrHoffmanby Kevin Neal,Thanks for that ill check it out.
I Don't have a problem changing admin passwords in genera, but it seems like a big mistake for the diradmin to expire using global settings, because you don't log into the diradmin account you have no opportunity to be warned to update it before it expires, and if it does as it just did with me, it's hard to recover from the situation
-
Jan 17, 2016 8:13 AM in response to Kevin Nealby MrHoffman,Digital certificates, passwords and licenses all have expirations. Disk free space checks and update checks and scans of the logs are part of the routine maintenance, as well. Same for checking for new versions of add-on software.
These and other routine tasks get added to the IT administrator's calendar for periodic attention either directly or via ARD, or the requisite operations get automated via script or add-on tools. Being in IT increasingly involves a dedicated calendar — possibly a shared calendar — of what needs to happen and when, either stored locally in Calendar.app or a calendar implemented in the IT helpdesk and ticketing system, depending on the scale of the environment.
If local IT is going to subscribe to the belief that better security involves periodic password changes, then IT must change its own — and far more privileged — passwords, too. If 90 days expiries are good for users, then thirty or maybe sixty days is good for IT.
But then requiring two-factor for at least the administrative users is yet better, for a more secure environment.
But if you do want to disable the password change, as mentioned, set up the custom pwdPolicySubentry entry. Obviously that's not something I'd recommend — stale and shared and exposed privileged accounts are very popular with the attackers. But if you'd like to see an override and an automatic exclusion for the policy, send a suggestion to Apple. (Server.app > Server > Provide Server Feedback...)
-
Jan 17, 2016 3:04 PM in response to MrHoffmanby Kevin Neal,thanks, you are right of course, I think the locking out of diradmin took me by surprise
because throughout yosemite and server 4 the global policy to require password change after xx time
didnt work for my installation, the last time it worked was when it was set through WGM where admin
aaccounts were excluded from global policies, now after the update to server 5 they started working
again out of the blue, I assumed admins were still exempt
-
Feb 25, 2016 1:52 AM in response to Kevin Nealby Kreesurgeon56,Just been hit with the same problem. In our set up I implemented the password policy (for the first time) and our kerio mail server stopped authenticating users. Kerio is bound to the directory using the diradmin credentials and set to auth users with kerberos. Also all of our computers (40+ all mac) are bound the the directory with using the same creds.
My questions are:
1.If set to change every 3 months will kerio just stop working every 3 months until the diradmin password is manually reset?
2. Will all Macs need to be re-bound to the directory every 3 months?