[SOLVED] COS level - if 1st login, force user change pass.

[aurfalien]

Hi all,

While there is a way to force a specific user to change their pass upon 1st log in, is there a way to do it globally/at the COS level?

I'm trying to automate account creation.

* This can be done in Exchange and Communigate

[mmorse]

zmprov mc COSname zimbraPasswordMustChange TRUE

--Edit1--

Actually it's not available on COS or domain:

Quote:

<attr id="41" name="zimbraPasswordMustChange" type="boolean" cardinality="single" optionalIn="account" flags="domainAdminModifiable">
<desc>must change password on auth</desc>
</attr>

I don't see an RFE on having zimbraPasswordMustChange in the COS or domain level, so you feel free to open one in bugzilla if you want.

So either script it into the account creation:

Code:

zmprov ca user@domain.com tempPassword zimbraPasswordMustChange TRUE                      
zmprov ca user@domain.com '' zimbraPasswordMustChange TRUE

OR get a list of all users in a COS then apply it to them:

Code:

zmprov gc COSName | grep zimbraId
zmprov sa zimbraCOSId=string > accounts.txt

More methods here [SOLVED] Looking for reporting output of names, accounts, lists, alias, etc. like:

Quote:

zmprov gac -v | grep -e cn: -e zimbraId
zmprov gaa -v | grep -e mail: -e zimbraCOSId | grep -B1 PutCOSIdStringHere | grep mail: | awk '{print $2}'

Check that file to make sure you didn't hit Bug 29763 - Missing zimbraCOSId when set to auto
Then take that list back in:
zmprov < file.txt where file.txt contains ma user@domain.com zimbraPasswordMustChange TRUE

---Edit2---

Even easier do:

Code:

zmprov gc COSName | grep zimbraId
nano /opt/zimbra/somewhere/script.sh

-copy the below & save
-make the file readable & executable with chmod
-then run ./script.sh as root or zimbra

Code:

#!/bin/bash
for i in `/opt/zimbra/bin/zmprov sa zimbraCOSId=IDStringHERE`
do
  echo $i
  /opt/zimbra/bin/zmprov ma $i zimbraPasswordMustChange TRUE
done

[aurfalien]

Mike,

Thank you sooo much, yoda man! You just made my life much easier.

I got this message from a buddy of mine who asked tech support;

I am sorry but a feature of such sort is not available at the cos level. However while creating an account you can select that option in the Admin console. And if you are using CLI then you can use the following command to enforce password change at first login:

zmprov ca user@domain.com <password> zimbraPasswordMustChange 'TRUE'

Thanks and Regards,

[mmorse]

I gather you saw my edits on setting it during account creation, but wanted to point out it can be done via simple script even if already provisioned - assuming your not suffering from bug Bug 29763 - Missing zimbraCOSId when set to auto or something it's an easy:

Code:

zmprov gc COSName | grep zimbraId
nano /opt/zimbra/somewhere/script.sh

-copy the below & save
-make the file readable & executable with chmod
-then run ./script.sh as root or zimbra

Code:

#!/bin/bash
for i in `/opt/zimbra/bin/zmprov sa zimbraCOSId=PutIDStringHere`
do
  echo $i
  /opt/zimbra/bin/zmprov ma $i zimbraPasswordMustChange TRUE
done

[aurfalien]

Hi Mike,

Thanks for the reply.

I would like to add he zmprov ca zimbraPasswordMustChange TRUE to my zmexternaldirsync script but am unsure where to put it.

I searched for zmprov ca but it appears that the only instance of zmprov ca is for logging purposes.

However there are many zmprov instances in the file.

You mind looking at zmexternaldirsync to suggest were I should place it?

I understand that this is advice that is "as is" so iI won't be nagging you. however I just need a nudge in the right direction.

Let me know and I can post the script for you.

[aurfalien]

Hi Mike,

Looks like I hit that bug.

How do I un-set class of service to auto?

When I run /opt/zimbra/bin/zmprov sa zimbraCOSId=mycosid#

Nothing comes back.

I got the COSId by doing;

zmprov gc COSName | grep zimbraId

[aurfalien]

I'm posting this for anyone following this thread.

I use an external LDAP directory and have Zimbra syncing accounts off of it.

The script; zmexternaldirsync is very useful for this however I modified the following line so that all users who get provisioned are forced to change there password upon 1st login to Zimbra webmail;

line 1969 of zmexernaldirsync

change line from;

print ZMPROV "ca $str\n";

to;

print ZMPROV "ca $str zimbraPasswordMustChange TRUE\n";

The zmexternaldirsync script allows you to force a single password for all accounts that get provisioned. I set this password to be generic so that users can login to Zimbra and change it.

I also setup Drupal so that the same type of policy holds true for there external LDAP accounts as well.