On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: > Dan Scott wrote: > >On Tue, May 8, 2012 at 1:55 AM,<[email protected]> wrote: > >>Hi, > >> > >>Spec: > >>Red Hat Enterprise Linux Server release 6.2 (Santiago) > >> ipa-admintools-2.1.3-9.el6.x86_64 > >> ipa-client-2.1.3-9.el6.x86_64 > >> ipa-pki-ca-theme-9.0.3-7.el6.noarch > >> ipa-pki-common-theme-9.0.3-7.el6.noarch > >> ipa-python-2.1.3-9.el6.x86_64 > >> ipa-server-2.1.3-9.el6.x86_64 > >> ipa-server-selinux-2.1.3-9.el6.x86_64 > >> > >>Issue: > >>Firstly I'll declare someone must have seen this by now? > >> > >>I've set the password policy to 99999; > >>[root@sysvm-ipa ~]# ipa pwpolicy-show > >> Group: global_policy > >> Max lifetime (days): 99999 > >> Min lifetime (hours): 1 > >> History size: 0 > >> Character classes: 0 > >> Min length: 6 > >> Max failures: 6 > >> Failure reset interval: 60 > >> Lockout duration: 600 > >> > >>But old accounts are not getting the change at the ldap level, even > >>though IPA claims the expiry date has updated. > >>e.g. > >>[root@sysvm-ipa ~]# ipa pwpolicy-show --user=john > >> Group: global_policy > >> Max lifetime (days): 99999 > >> Min lifetime (hours): 1 > >> History size: 0 > >> Character classes: 0 > >> Min length: 6 > >> Max failures: 6 > >> Failure reset interval: 60 > >> Lockout duration: 600 > >> > >> > >>ldapsearch (command chopped) > >># john, users, accounts, teratext.saic.com.au > >>dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > >>krbPasswordExpiration: 20120506011529Z > >> > >> > >>So now when the user(s) logs in, I'm getting "password will expire in XX > >>days" messages. > >> > >>Any ideas? > >>Can I globally update this somehow, otherwise I'll be re-typing > >>passwords for a while. > > > >A password reset by admin always expires the password. I think once > >the user first changes their password it will have the lifetime that > >you specified. > > > >You can force the expiration date using an ldapmodify command: > > > >ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv > >-f update_krbpasswordexpiration.ldif > > > >Where the update_krbpasswordexpiration.ldif file contains: > > > >dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com > >changetype: modify > >replace: krbpasswordexpiration > >krbpasswordexpiration: 20140202203734Z > > > >You could do this as admin if you have a ticket so that you don't have > >to enter the directory manager password. > > This is great, thanks Dan. > > BTW the equivalent command using a Kerberos ticket is: > > $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f > update_krbpasswordexpiration.ldif > > rob > Thanks great advice, so just to clarify, do the rear numbers just represent hours, seconds etc? e.g. krbpasswordexpiration: 20150101203734Z krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]?
cya Craig _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
