On Tue, 2012-05-08 at 09:55 +0400, free...@noboost.org wrote:
> Hi,
> 
> Spec: 
> Red Hat Enterprise Linux Server release 6.2 (Santiago)
>   ipa-admintools-2.1.3-9.el6.x86_64
>   ipa-client-2.1.3-9.el6.x86_64
>   ipa-pki-ca-theme-9.0.3-7.el6.noarch
>   ipa-pki-common-theme-9.0.3-7.el6.noarch
>   ipa-python-2.1.3-9.el6.x86_64
>   ipa-server-2.1.3-9.el6.x86_64
>   ipa-server-selinux-2.1.3-9.el6.x86_64
> 
> Issue:
> Firstly I'll declare someone must have seen this by now?
> 
> I've set the password policy to 99999;
> [root@sysvm-ipa ~]# ipa pwpolicy-show
>   Group: global_policy
>   Max lifetime (days): 99999
>   Min lifetime (hours): 1
>   History size: 0
>   Character classes: 0
>   Min length: 6
>   Max failures: 6
>   Failure reset interval: 60
>   Lockout duration: 600
> 
> But old accounts are not getting the change at the ldap level, even
> though IPA claims the expiry date has updated. 
> e.g. 
> [root@sysvm-ipa ~]# ipa pwpolicy-show --user=john
>   Group: global_policy
>   Max lifetime (days): 99999
>   Min lifetime (hours): 1
>   History size: 0
>   Character classes: 0
>   Min length: 6
>   Max failures: 6
>   Failure reset interval: 60
>   Lockout duration: 600
> 
> 
> ldapsearch (command chopped)
> # john, users, accounts, teratext.saic.com.au
> dn: uid=john,cn=users,cn=accounts,dc=example,dc=com
> krbPasswordExpiration: 20120506011529Z
> 
> 
> So now when the user(s) logs in, I'm getting "password will expire in XX
> days" messages. 
> 
> Any ideas?
> Can I globally update this somehow, otherwise I'll be re-typing
> passwords for a while.

Password policies are applied at password change time, if you want to
change the password expiration time of a specific user w/o forcing a
password change then you need to change the krbPasswordExpiration
attribute on the user.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to