On Tue, May 8, 2012 at 1:55 AM,  <free...@noboost.org> wrote:
> Hi,
>
> Spec:
> Red Hat Enterprise Linux Server release 6.2 (Santiago)
>  ipa-admintools-2.1.3-9.el6.x86_64
>  ipa-client-2.1.3-9.el6.x86_64
>  ipa-pki-ca-theme-9.0.3-7.el6.noarch
>  ipa-pki-common-theme-9.0.3-7.el6.noarch
>  ipa-python-2.1.3-9.el6.x86_64
>  ipa-server-2.1.3-9.el6.x86_64
>  ipa-server-selinux-2.1.3-9.el6.x86_64
>
> Issue:
> Firstly I'll declare someone must have seen this by now?
>
> I've set the password policy to 99999;
> [root@sysvm-ipa ~]# ipa pwpolicy-show
>  Group: global_policy
>  Max lifetime (days): 99999
>  Min lifetime (hours): 1
>  History size: 0
>  Character classes: 0
>  Min length: 6
>  Max failures: 6
>  Failure reset interval: 60
>  Lockout duration: 600
>
> But old accounts are not getting the change at the ldap level, even
> though IPA claims the expiry date has updated.
> e.g.
> [root@sysvm-ipa ~]# ipa pwpolicy-show --user=john
>  Group: global_policy
>  Max lifetime (days): 99999
>  Min lifetime (hours): 1
>  History size: 0
>  Character classes: 0
>  Min length: 6
>  Max failures: 6
>  Failure reset interval: 60
>  Lockout duration: 600
>
>
> ldapsearch (command chopped)
> # john, users, accounts, teratext.saic.com.au
> dn: uid=john,cn=users,cn=accounts,dc=example,dc=com
> krbPasswordExpiration: 20120506011529Z
>
>
> So now when the user(s) logs in, I'm getting "password will expire in XX
> days" messages.
>
> Any ideas?
> Can I globally update this somehow, otherwise I'll be re-typing
> passwords for a while.

A password reset by admin always expires the password. I think once
the user first changes their password it will have the lifetime that
you specified.

You can force the expiration date using an ldapmodify command:

ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv
-f update_krbpasswordexpiration.ldif

Where the update_krbpasswordexpiration.ldif file contains:

dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
replace: krbpasswordexpiration
krbpasswordexpiration: 20140202203734Z

You could do this as admin if you have a ticket so that you don't have
to enter the directory manager password.

Hope this helps,

Dan

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to