On Tue, May 8, 2012 at 8:45 PM, <[email protected]> wrote: > On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: >> Dan Scott wrote: >> >On Tue, May 8, 2012 at 1:55 AM,<[email protected]> wrote: >> >>Hi, >> >> >> >>Spec: >> >>Red Hat Enterprise Linux Server release 6.2 (Santiago) >> >> ipa-admintools-2.1.3-9.el6.x86_64 >> >> ipa-client-2.1.3-9.el6.x86_64 >> >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> >> ipa-python-2.1.3-9.el6.x86_64 >> >> ipa-server-2.1.3-9.el6.x86_64 >> >> ipa-server-selinux-2.1.3-9.el6.x86_64 >> >> >> >>Issue: >> >>Firstly I'll declare someone must have seen this by now? >> >> >> >>I've set the password policy to 99999; >> >>[root@sysvm-ipa ~]# ipa pwpolicy-show >> >> Group: global_policy >> >> Max lifetime (days): 99999 >> >> Min lifetime (hours): 1 >> >> History size: 0 >> >> Character classes: 0 >> >> Min length: 6 >> >> Max failures: 6 >> >> Failure reset interval: 60 >> >> Lockout duration: 600 >> >> >> >>But old accounts are not getting the change at the ldap level, even >> >>though IPA claims the expiry date has updated. >> >>e.g. >> >>[root@sysvm-ipa ~]# ipa pwpolicy-show --user=john >> >> Group: global_policy >> >> Max lifetime (days): 99999 >> >> Min lifetime (hours): 1 >> >> History size: 0 >> >> Character classes: 0 >> >> Min length: 6 >> >> Max failures: 6 >> >> Failure reset interval: 60 >> >> Lockout duration: 600 >> >> >> >> >> >>ldapsearch (command chopped) >> >># john, users, accounts, teratext.saic.com.au >> >>dn: uid=john,cn=users,cn=accounts,dc=example,dc=com >> >>krbPasswordExpiration: 20120506011529Z >> >> >> >> >> >>So now when the user(s) logs in, I'm getting "password will expire in XX >> >>days" messages. >> >> >> >>Any ideas? >> >>Can I globally update this somehow, otherwise I'll be re-typing >> >>passwords for a while. >> > >> >A password reset by admin always expires the password. I think once >> >the user first changes their password it will have the lifetime that >> >you specified. >> > >> >You can force the expiration date using an ldapmodify command: >> > >> >ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv >> >-f update_krbpasswordexpiration.ldif >> > >> >Where the update_krbpasswordexpiration.ldif file contains: >> > >> >dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com >> >changetype: modify >> >replace: krbpasswordexpiration >> >krbpasswordexpiration: 20140202203734Z >> > >> >You could do this as admin if you have a ticket so that you don't have >> >to enter the directory manager password. >> >> This is great, thanks Dan. >> >> BTW the equivalent command using a Kerberos ticket is: >> >> $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f >> update_krbpasswordexpiration.ldif >> >> rob >> > Thanks great advice, so just to clarify, do the rear numbers just > represent hours, seconds etc? > e.g. krbpasswordexpiration: 20150101203734Z > krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]?
Yep, and Z indicates GMT. _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
