White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: > Are there settings in FreeIPA similar to the setting available from the > chage command ? I am specifically looking for a setting for the time > after a password expires to allow the user to update it. > > > > I am looking for the same "grace period" that the non-IPA shell password > has. From the change man page: > > -M, --maxdays MAX_DAYS > Set the maximum number of days during which a password is valid. When > MAX_DAYS plus LAST_DAY is less than the current day, the user will be > required to change his/her password before being able to use his/her > account. > -I, --inactive INACTIVE > Set the number of days of inactivity after a password has expired before > the account is locked. The INACTIVE option is the number of days of > inactivity. A user whose account is locked must contact the system > administrator before being able to use the system again. > > > > I find nothing like this in the documentation. > > I do know, however, that when a user is initially created, the password > expire time is set to the current clock time. > When the user logs in for the first time, they are prompted to change > their password. > I am looking for a parameter -- like chage's INACTIVE -- that defines a > grace period from the time the password expires until the account is > locked and requires admin intervention. > > Or does that only happen for the account creation ?
There is nothing automated to do this. Theoretically you could use krbprincipalexpiration to enforce this but there is nothing that will add some offset to it when a password is changed. I think it would be fairly straightforward to add but it would require a new policy attribute, new CLI/UI to manage that attribute, etc. The actual setting of the attribute is probably like 5 lines of code. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
