Rob Crittenden wrote: > White, Daniel E. (GSFC-770.0)[NICS] wrote: > > For your amusement: > > > > Red Hat Support referred me to > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.redhat.com_show-5Fbug.cgi-3Fid-3D1273040&d=DwIDaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=y-iLNGeQXYoLVEUMmdbqiwkxts-jeBvl51R-a95lZbs&s=JdVGAnRRpmqAANiGZ7Fx6eqI90zetMQr-m_obMz-Trg&e= > (A RHEL 7 RFE) > > > > and > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.redhat.com_show-5Fbug.cgi-3Fid-3D1654395&d=DwIDaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=y-iLNGeQXYoLVEUMmdbqiwkxts-jeBvl51R-a95lZbs&s=bnoH5dgRdx0RsRyE0mSA1_7p3DvS4z097nDe5i92raE&e= > (The same RFE, pushed to RHEL 8) > > IMHO those contain a different question than you're asking. Those BZ are > about marking unused accounts vs allowing a grace period after password > expiration.
This is why I started with "For your amusement" > > …, saying, "You can also set a policy to automatically disable an > > account if the password has not been changed within X number of weeks > > after the password has expired" > > No, you can't, there is no policy setting for that. And I don't believe > that is in the scope of the BZ either. Password expiration isn't a > consideration and is, IMHO, a separate policy question like you > suggested: a grace period after expiration before marking account inactive. > > > > > Maybe I can get some technical detail here. > > > > When a new login is created, it has a "temporary" password that must be > > changed. > > I have logins I created 4 months ago that have not yet been used. > > Will the initial password still work ? > > Yes. Thank you > > In the documentation about password policy, referencing the "Max > > lifetime" attribute, it says , > > > > "Example: Max lifetime = 90 -- User passwords are valid only for 90 > > days. After that, IdM prompts users to change them. " > > > > > > How long can the user wait and still be able to update the password ? > > Forever. Max life is password expiration, min life prevents changing > passwords too frequently. Again, thank you. > > > > What controls these behaviors ? > > > > As I said before, I think only krbprincipalexpiration would help here. > There is no policy/setting in IPA to disable an account X days after a > password has expired. > > That said, this is probably scriptable using LDAP to find the entries > and call ipa user-disable <id> to mark inactive the users. > > rob Actually, I do not want to disable accounts at all. A user requested a password reset. I found out he was trying to log in to an application that uses IdM for credentials - one of the few we were able to get working. Based on this new information, I suspect that there were multiple attempts to log in to the app, eventually causing a lockout due to "failed" authentication. When authenticating to IdM/FreeIPA thru an app, I suspect it won't tell you that your password expired, just that the login failed. Is that a reasonable suspicion ? Again, thanks to all you FreeIPA folks for being here to answer questions that Tier One Red Hat support cannot answer. ______________________________________________________________________________________________ Daniel E. White [email protected] NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
