On Wed, 2012-05-09 at 13:21 +0200, Petr Spacek wrote: > On 05/09/2012 03:31 AM, Dan Scott wrote: > > On Tue, May 8, 2012 at 8:45 PM,<[email protected]> wrote: > >> On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: > >>> Dan Scott wrote: > >>>> On Tue, May 8, 2012 at 1:55 AM,<[email protected]> wrote: > >>>>> Hi, > >>>>> > >>>>> Spec: > >>>>> Red Hat Enterprise Linux Server release 6.2 (Santiago) > >>>>> ipa-admintools-2.1.3-9.el6.x86_64 > >>>>> ipa-client-2.1.3-9.el6.x86_64 > >>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch > >>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch > >>>>> ipa-python-2.1.3-9.el6.x86_64 > >>>>> ipa-server-2.1.3-9.el6.x86_64 > >>>>> ipa-server-selinux-2.1.3-9.el6.x86_64 > >>>>> > >>>>> Issue: > >>>>> Firstly I'll declare someone must have seen this by now? > >>>>> > >>>>> I've set the password policy to 99999; > >>>>> [root@sysvm-ipa ~]# ipa pwpolicy-show > >>>>> Group: global_policy > >>>>> Max lifetime (days): 99999 > >>>>> Min lifetime (hours): 1 > >>>>> History size: 0 > >>>>> Character classes: 0 > >>>>> Min length: 6 > >>>>> Max failures: 6 > >>>>> Failure reset interval: 60 > >>>>> Lockout duration: 600 > >>>>> > >>>>> But old accounts are not getting the change at the ldap level, even > >>>>> though IPA claims the expiry date has updated. > >>>>> e.g. > >>>>> [root@sysvm-ipa ~]# ipa pwpolicy-show --user=john > >>>>> Group: global_policy > >>>>> Max lifetime (days): 99999 > >>>>> Min lifetime (hours): 1 > >>>>> History size: 0 > >>>>> Character classes: 0 > >>>>> Min length: 6 > >>>>> Max failures: 6 > >>>>> Failure reset interval: 60 > >>>>> Lockout duration: 600 > >>>>> > >>>>> > >>>>> ldapsearch (command chopped) > >>>>> # john, users, accounts, teratext.saic.com.au > >>>>> dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > >>>>> krbPasswordExpiration: 20120506011529Z > >>>>> > >>>>> > >>>>> So now when the user(s) logs in, I'm getting "password will expire in XX > >>>>> days" messages. > >>>>> > >>>>> Any ideas? > >>>>> Can I globally update this somehow, otherwise I'll be re-typing > >>>>> passwords for a while. > >>>> > >>>> A password reset by admin always expires the password. I think once > >>>> the user first changes their password it will have the lifetime that > >>>> you specified. > >>>> > >>>> You can force the expiration date using an ldapmodify command: > >>>> > >>>> ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv > >>>> -f update_krbpasswordexpiration.ldif > >>>> > >>>> Where the update_krbpasswordexpiration.ldif file contains: > >>>> > >>>> dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com > >>>> changetype: modify > >>>> replace: krbpasswordexpiration > >>>> krbpasswordexpiration: 20140202203734Z > >>>> > >>>> You could do this as admin if you have a ticket so that you don't have > >>>> to enter the directory manager password. > >>> > >>> This is great, thanks Dan. > >>> > >>> BTW the equivalent command using a Kerberos ticket is: > >>> > >>> $ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f > >>> update_krbpasswordexpiration.ldif > >>> > >>> rob > >>> > >> Thanks great advice, so just to clarify, do the rear numbers just > >> represent hours, seconds etc? > >> e.g. krbpasswordexpiration: 20150101203734Z > >> krbpasswordexpiration: 20150101 [20 37 34 ?] Z > >> (20=hour,37=min,34=sec]? > > > > Yep, and Z indicates GMT. > > Question is: > 1) Should we document that (and provide a hint in `ipa pwpolicy` output)?
Yes. > 2) Should ipa pwpolicy do update for all affected principals in LDAP? Just to > prevent confusion? No. > I like variant 2, because variant 1 seems to be confusing to me. May not be what the user wants to do, and would cause a lot of changes all over the directory and a lot of replication. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
