On Wed, May 09, 2012 at 01:21:39PM +0200, Petr Spacek wrote: > On 05/09/2012 03:31 AM, Dan Scott wrote: > >On Tue, May 8, 2012 at 8:45 PM,<free...@noboost.org> wrote: > >>On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: > >>>Dan Scott wrote: > >>>>On Tue, May 8, 2012 at 1:55 AM,<free...@noboost.org> wrote: > >>>>>Hi, > >>>>> > >>>>>Spec: > >>>>>Red Hat Enterprise Linux Server release 6.2 (Santiago) > >>>>> ipa-admintools-2.1.3-9.el6.x86_64 > >>>>> ipa-client-2.1.3-9.el6.x86_64 > >>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch > >>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch > >>>>> ipa-python-2.1.3-9.el6.x86_64 > >>>>> ipa-server-2.1.3-9.el6.x86_64 > >>>>> ipa-server-selinux-2.1.3-9.el6.x86_64 > >>>>> > >>>>>Issue: > >>>>>Firstly I'll declare someone must have seen this by now? > >>>>> > >>>>>I've set the password policy to 99999; > >>>>>[root@sysvm-ipa ~]# ipa pwpolicy-show > >>>>> Group: global_policy > >>>>> Max lifetime (days): 99999 > >>>>> Min lifetime (hours): 1 > >>>>> History size: 0 > >>>>> Character classes: 0 > >>>>> Min length: 6 > >>>>> Max failures: 6 > >>>>> Failure reset interval: 60 > >>>>> Lockout duration: 600 > >>>>> > >>>>>But old accounts are not getting the change at the ldap level, even > >>>>>though IPA claims the expiry date has updated. > >>>>>e.g. > >>>>>[root@sysvm-ipa ~]# ipa pwpolicy-show --user=john > >>>>> Group: global_policy > >>>>> Max lifetime (days): 99999 > >>>>> Min lifetime (hours): 1 > >>>>> History size: 0 > >>>>> Character classes: 0 > >>>>> Min length: 6 > >>>>> Max failures: 6 > >>>>> Failure reset interval: 60 > >>>>> Lockout duration: 600 > >>>>> > >>>>> > >>>>>ldapsearch (command chopped) > >>>>># john, users, accounts, teratext.saic.com.au > >>>>>dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > >>>>>krbPasswordExpiration: 20120506011529Z > >>>>> > >>>>> > >>>>>So now when the user(s) logs in, I'm getting "password will expire in XX > >>>>>days" messages. > >>>>> > >>>>>Any ideas? > >>>>>Can I globally update this somehow, otherwise I'll be re-typing > >>>>>passwords for a while. > >>>> > >>>>A password reset by admin always expires the password. I think once > >>>>the user first changes their password it will have the lifetime that > >>>>you specified. > >>>> > >>>>You can force the expiration date using an ldapmodify command: > >>>> > >>>>ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv > >>>>-f update_krbpasswordexpiration.ldif > >>>> > >>>>Where the update_krbpasswordexpiration.ldif file contains: > >>>> > >>>>dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com > >>>>changetype: modify > >>>>replace: krbpasswordexpiration > >>>>krbpasswordexpiration: 20140202203734Z > >>>> > >>>>You could do this as admin if you have a ticket so that you don't have > >>>>to enter the directory manager password. > >>> > >>>This is great, thanks Dan. > >>> > >>>BTW the equivalent command using a Kerberos ticket is: > >>> > >>>$ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f > >>>update_krbpasswordexpiration.ldif > >>> > >>>rob > >>> > >>Thanks great advice, so just to clarify, do the rear numbers just > >>represent hours, seconds etc? > >>e.g. krbpasswordexpiration: 20150101203734Z > >> krbpasswordexpiration: 20150101 [20 37 34 ?] Z (20=hour,37=min,34=sec]? > > > >Yep, and Z indicates GMT. > > Question is: > 1) Should we document that (and provide a hint in `ipa pwpolicy` output)? > OR > 2) Should ipa pwpolicy do update for all affected principals in > LDAP? Just to prevent confusion? > > I like variant 2, because variant 1 seems to be confusing to me. > > Craig, what is user opinion? > > Petr^2 Spacek > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com The thing that threw me was that "Max lifetime (days)" is not the actual expiry date. Once I realised that there was an ldap "krbPasswordExpiration" attribute which I can modify directly, then I fixed the issue for the whole company in about 10min :)
Documentation (my opinion): * Full meaning for this attribute krbPasswordExpiration * The difference between Max lifetime (days) & krbPasswordExpiration * How to change ldap expiration entries. cya Craig _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users