On 30/06/16 14:14, Rob Crittenden wrote:
David Kupka wrote:
On 29/06/16 19:05, Roderick Johnstone wrote:
Hi
If I set a kerberos principal for a user to expire on a given date
using:
ipa user-mod <user> --principal-expiration=DATE
is it possible to later remove this expiration date rather than just set
it to a time far in the future?
Thanks
Roderick Johnstone
Hello Roderick,
AFAIK the only way to remove principal expiration at the time is remove
krbPrincipalExpiration attribute from the user entry in DS.
$ kinit admin
Password for ad...@example.org
$ ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ad...@example.org
SASL SSF: 56
SASL data security layer installed.
dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org
changetype: modify
delete: krbprincipalexpiration
modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org"
I think that it makes sense to expose this in API. Could you please file
RFE (https://fedorahosted.org/freeipa/newticket)?
You just need to pass in a blank value:
$ ipa user-mod <user> --principal-expiration=
rob
Thanks both.
I can indeed confirm that setting --principal-expiration= does in fact
remove the kerberos expiration date.
Roderick
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
