On Tue, 2012-05-08 at 09:55 +0400, [email protected] wrote: > Hi, > > Spec: > Red Hat Enterprise Linux Server release 6.2 (Santiago) > ipa-admintools-2.1.3-9.el6.x86_64 > ipa-client-2.1.3-9.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.1.3-9.el6.x86_64 > ipa-server-2.1.3-9.el6.x86_64 > ipa-server-selinux-2.1.3-9.el6.x86_64 > > Issue: > Firstly I'll declare someone must have seen this by now? > > I've set the password policy to 99999; > [root@sysvm-ipa ~]# ipa pwpolicy-show > Group: global_policy > Max lifetime (days): 99999 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 6 > Max failures: 6 > Failure reset interval: 60 > Lockout duration: 600 > > But old accounts are not getting the change at the ldap level, even > though IPA claims the expiry date has updated. > e.g. > [root@sysvm-ipa ~]# ipa pwpolicy-show --user=john > Group: global_policy > Max lifetime (days): 99999 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 6 > Max failures: 6 > Failure reset interval: 60 > Lockout duration: 600 > > > ldapsearch (command chopped) > # john, users, accounts, teratext.saic.com.au > dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > krbPasswordExpiration: 20120506011529Z > > > So now when the user(s) logs in, I'm getting "password will expire in XX > days" messages. > > Any ideas? > Can I globally update this somehow, otherwise I'll be re-typing > passwords for a while.
Password policies are applied at password change time, if you want to change the password expiration time of a specific user w/o forcing a password change then you need to change the krbPasswordExpiration attribute on the user. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
