On Tue, May 8, 2012 at 1:55 AM, <[email protected]> wrote: > Hi, > > Spec: > Red Hat Enterprise Linux Server release 6.2 (Santiago) > ipa-admintools-2.1.3-9.el6.x86_64 > ipa-client-2.1.3-9.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.1.3-9.el6.x86_64 > ipa-server-2.1.3-9.el6.x86_64 > ipa-server-selinux-2.1.3-9.el6.x86_64 > > Issue: > Firstly I'll declare someone must have seen this by now? > > I've set the password policy to 99999; > [root@sysvm-ipa ~]# ipa pwpolicy-show > Group: global_policy > Max lifetime (days): 99999 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 6 > Max failures: 6 > Failure reset interval: 60 > Lockout duration: 600 > > But old accounts are not getting the change at the ldap level, even > though IPA claims the expiry date has updated. > e.g. > [root@sysvm-ipa ~]# ipa pwpolicy-show --user=john > Group: global_policy > Max lifetime (days): 99999 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 6 > Max failures: 6 > Failure reset interval: 60 > Lockout duration: 600 > > > ldapsearch (command chopped) > # john, users, accounts, teratext.saic.com.au > dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > krbPasswordExpiration: 20120506011529Z > > > So now when the user(s) logs in, I'm getting "password will expire in XX > days" messages. > > Any ideas? > Can I globally update this somehow, otherwise I'll be re-typing > passwords for a while.
A password reset by admin always expires the password. I think once the user first changes their password it will have the lifetime that you specified. You can force the expiration date using an ldapmodify command: ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv -f update_krbpasswordexpiration.ldif Where the update_krbpasswordexpiration.ldif file contains: dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com changetype: modify replace: krbpasswordexpiration krbpasswordexpiration: 20140202203734Z You could do this as admin if you have a ticket so that you don't have to enter the directory manager password. Hope this helps, Dan _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
