On Thu, 2012-05-10 at 03:58 +0400, free...@noboost.org wrote: > On Wed, May 09, 2012 at 01:21:39PM +0200, Petr Spacek wrote: > > On 05/09/2012 03:31 AM, Dan Scott wrote: > > >On Tue, May 8, 2012 at 8:45 PM,<free...@noboost.org> wrote: > > >>On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: > > >>>Dan Scott wrote: > > >>>>On Tue, May 8, 2012 at 1:55 AM,<free...@noboost.org> wrote: > > >>>>>Hi, > > >>>>> > > >>>>>Spec: > > >>>>>Red Hat Enterprise Linux Server release 6.2 (Santiago) > > >>>>> ipa-admintools-2.1.3-9.el6.x86_64 > > >>>>> ipa-client-2.1.3-9.el6.x86_64 > > >>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch > > >>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch > > >>>>> ipa-python-2.1.3-9.el6.x86_64 > > >>>>> ipa-server-2.1.3-9.el6.x86_64 > > >>>>> ipa-server-selinux-2.1.3-9.el6.x86_64 > > >>>>> > > >>>>>Issue: > > >>>>>Firstly I'll declare someone must have seen this by now? > > >>>>> > > >>>>>I've set the password policy to 99999; > > >>>>>[root@sysvm-ipa ~]# ipa pwpolicy-show > > >>>>> Group: global_policy > > >>>>> Max lifetime (days): 99999 > > >>>>> Min lifetime (hours): 1 > > >>>>> History size: 0 > > >>>>> Character classes: 0 > > >>>>> Min length: 6 > > >>>>> Max failures: 6 > > >>>>> Failure reset interval: 60 > > >>>>> Lockout duration: 600 > > >>>>> > > >>>>>But old accounts are not getting the change at the ldap level, even > > >>>>>though IPA claims the expiry date has updated. > > >>>>>e.g. > > >>>>>[root@sysvm-ipa ~]# ipa pwpolicy-show --user=john > > >>>>> Group: global_policy > > >>>>> Max lifetime (days): 99999 > > >>>>> Min lifetime (hours): 1 > > >>>>> History size: 0 > > >>>>> Character classes: 0 > > >>>>> Min length: 6 > > >>>>> Max failures: 6 > > >>>>> Failure reset interval: 60 > > >>>>> Lockout duration: 600 > > >>>>> > > >>>>> > > >>>>>ldapsearch (command chopped) > > >>>>># john, users, accounts, teratext.saic.com.au > > >>>>>dn: uid=john,cn=users,cn=accounts,dc=example,dc=com > > >>>>>krbPasswordExpiration: 20120506011529Z > > >>>>> > > >>>>> > > >>>>>So now when the user(s) logs in, I'm getting "password will expire in > > >>>>>XX > > >>>>>days" messages. > > >>>>> > > >>>>>Any ideas? > > >>>>>Can I globally update this somehow, otherwise I'll be re-typing > > >>>>>passwords for a while. > > >>>> > > >>>>A password reset by admin always expires the password. I think once > > >>>>the user first changes their password it will have the lifetime that > > >>>>you specified. > > >>>> > > >>>>You can force the expiration date using an ldapmodify command: > > >>>> > > >>>>ldapmodify -x -D 'cn=directory manager' -W -h $IPA_SERVER -p 389 -vv > > >>>>-f update_krbpasswordexpiration.ldif > > >>>> > > >>>>Where the update_krbpasswordexpiration.ldif file contains: > > >>>> > > >>>>dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com > > >>>>changetype: modify > > >>>>replace: krbpasswordexpiration > > >>>>krbpasswordexpiration: 20140202203734Z > > >>>> > > >>>>You could do this as admin if you have a ticket so that you don't have > > >>>>to enter the directory manager password. > > >>> > > >>>This is great, thanks Dan. > > >>> > > >>>BTW the equivalent command using a Kerberos ticket is: > > >>> > > >>>$ ldapmodify -Y GSSAPI -h $IPA_SERVER -p 389 -vv -f > > >>>update_krbpasswordexpiration.ldif > > >>> > > >>>rob > > >>> > > >>Thanks great advice, so just to clarify, do the rear numbers just > > >>represent hours, seconds etc? > > >>e.g. krbpasswordexpiration: 20150101203734Z > > >> krbpasswordexpiration: 20150101 [20 37 34 ?] Z > > >> (20=hour,37=min,34=sec]? > > > > > >Yep, and Z indicates GMT. > > > > Question is: > > 1) Should we document that (and provide a hint in `ipa pwpolicy` output)? > > OR > > 2) Should ipa pwpolicy do update for all affected principals in > > LDAP? Just to prevent confusion? > > > > I like variant 2, because variant 1 seems to be confusing to me. > > > > Craig, what is user opinion? > > > > Petr^2 Spacek > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > The thing that threw me was that "Max lifetime (days)" is not the actual > expiry date. > Once I realised that there was an ldap "krbPasswordExpiration" attribute > which I can > modify directly, then I fixed the issue for the whole company in about 10min > :) > > Documentation (my opinion): > * Full meaning for this attribute krbPasswordExpiration > * The difference between Max lifetime (days) & krbPasswordExpiration > * How to change ldap expiration entries.
It would be nice if you could open a ticket so we can track this RFE and not forget about it. Thanks. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
